search

apigee / devrel

Common solutions and tools developed for Apigee
Apache License 2.0
181 stars 159 forks source link

Usability Enhancement Suggestions for Envoy Quickstart #599

Closed danistrebel closed 1 year ago

danistrebel commented 2 years ago

Really nice tool @ganadurai. Some observations and suggestions from a recent install:

  1. https://github.com/apigee/devrel/tree/main/tools/apigee-envoy-quickstart#envoy-with-apigee-adapter-as-containers-within-kubernetes-platform Instead of "3. Download the Apigee Envoy PoC Toolkit binary." Can we assume people already have the DevRel repo cloned or at least make it optional i.e. not have aekitctl depend on a path outside of the solution folder?

  2. Better error handling: If the folders in https://github.com/apigee/devrel/blob/main/tools/apigee-envoy-quickstart/aekitctl.sh#L60 already exist. Would a -p work here?

  3. Hint in the README that the APIGEE_REMOTE_SRVC_CLI_VERSION version shouldn't contain the v-Prefix (the version tag in GH includes it so I naturally did when I set the variable) or provide an example.

  4. (Maybe this is an edge case but a good start for a troubleshooting section).

    Error Message: 

    step 7 : setup-envoy-filters.sh
Error from server (InternalError): error when creating "request-authentication.yaml": Internal error occurred: 
failed calling webhook "validation.istio.io": failed to call webhook: Post "https://istiod.istio- 
system.svc:443/validate?timeout=10s": contextdeadline exceeded

    Solution: If you're using a private cluster you have to allow ingress for the istio health check port 15017 ingress for the k8s Master to the worker nodes.

  5. Final Output

    
Wait for few minutes for the Envoy and Apigee adapter to have the setup completed. Then try the below command

kubectl --context="gke_strebel-pr-gana_us-central1-c_cluster-1" -n "apigee" run -it --rm --image=curlimages/curl --restart=Never curl --overrides='{"apiVersion":"v1", "metadata":{"annotations": { "sidecar.istio.io/inject":"false" } } }' -- curl -i httpbin.apigee.svc.cluster.local/headers -H 'x-api-key: KEY'

Try with and without sending the x-api-key header: this proves the httpbin service is intercepted by the Envoy sidecar which has the Envoy filter configured to connect to Apigee adapter running as container that executes the key verification with the Apigee runtime If you don't see a command prompt, try pressing enter. Error attaching, falling back to logs: unable to upgrade connection: container curl not found in pod curlapigee HTTP/1.1 200 OK Validation of the apigee envoy quickstart engine successfuladmin@cloudshell



 Suggestion: Maybe try to highlight that everything was successful. My eyes automatically caught the error keyword but failed to see that the status OK.

 Maybe we can add some whitespace before and after and some ascii formatting / emojis to say that we're done?
ganadurai commented 2 years ago

For the istio webhook error, isn't allowing port 15017 from master to worker nodes is part of the istio setup in the cluster. This validation call is not unique to apigee-envoy setup (I guess).

So should we include in the requirements section about private cluster and the need for the master pool to worker pool port opening for 15017? Instead of we automating the port openings between the nodes.

Thoughts.

danistrebel commented 2 years ago

Agreed with the Istio port 15017 comment. Fine with me.