All Products
Search

This Product

    Container Service for Kubernetes:Access gRPC services in a Service Mesh through an ASM ingress gateway

    Document Center

    Container Service for Kubernetes:Access gRPC services in a Service Mesh through an ASM ingress gateway

    Last Updated:Apr 24, 2025

    You can securely access gRPC services in a service mesh through an ASM ingress gateway. This approach enables precise access control for gRPC services, enhances service administration capabilities, and ensures secure inter-service communication. This topic describes how to access gRPC services in a service mesh through an ingress gateway and how to switch traffic between two versions of a gRPC service.

    Prerequisites

    Step 1: Deploy an application

    Deploy sample applications named istio-grpc-server-v1 and istio-grpc-server-v2.

    1. Create app.yaml.

      Expand to view YAML

      apiVersion: apps/v1
kind: Deployment
metadata:
  name: grpc-helloworld-py-v1
  labels:
    app: grpc-helloworld-py
    version: v1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: grpc-helloworld-py
      version: v1
  template:
    metadata:
      labels:
        app: grpc-helloworld-py
        version: v1
    spec:
      containers:
        - name: grpc-helloworld-py
          image: registry.cn-hangzhou.aliyuncs.com/aliacs-app-catalog/istio-grpc-server:grpc-helloworld-py-v1.0
          imagePullPolicy: Always
          env:
            - name: podname
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.name
          ports:
            - containerPort: 50051
              name: grpc-port
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: grpc-helloworld-py-v2
  labels:
    app: grpc-helloworld-py
    version: v2
spec:
  replicas: 1
  selector:
    matchLabels:
      app: grpc-helloworld-py
      version: v2
  template:
    metadata:
      labels:
        app: grpc-helloworld-py
        version: v2
    spec:
      containers:
        - name: grpc-helloworld-py
          image: registry.cn-hangzhou.aliyuncs.com/aliacs-app-catalog/istio-grpc-server:grpc-helloworld-py-v1.0
          imagePullPolicy: Always
          env:
            - name: podname
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.name
          ports:
            - containerPort: 50051
              name: grpc-port
---
apiVersion: v1
kind: Service
metadata:
  name: grpc-helloworld-py
  labels:
    app: grpc-helloworld-py
spec:
  ports:
    - port: 50051
      name: grpc-port
  selector:
    app: grpc-helloworld-py

    2. Deploy the application.

      kubectl apply -f app.yaml

    Step 2: Configure routing rules

    Create gateway rules, virtual services, and destination rules to route all traffic to istio-grpc-server-v1.

    1. Create rules.yaml.

      apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: grpc-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 8080
      name: grpc
      protocol: GRPC
    hosts:
    - "*"
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: dr-istio-grpc-server
spec:
  host: grpc-helloworld-py
  trafficPolicy:
    loadBalancer:
      simple: ROUND_ROBIN
  subsets:
    - name: v1
      labels:
        version: "v1"
    - name: v2
      labels:
        version: "v2"    
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: grpc-vs
spec:
  hosts:
  - "*"
  gateways:
  - grpc-gateway
  http:
    - match:
        - port: 8080
      route:
        - destination:
            host: grpc-helloworld-py
            port:
              number: 50051
            subset: v1
          weight: 100
        - destination:
            host: grpc-helloworld-py
            port:
              number: 50051
            subset: v2
          weight: 0

    2. Deploy the rules.

      kubectl apply -f rules.yaml

    Step 3: Deploy a new ingress gateway or reuse an existing one

    Create a new ingress gateway

    Create an ingress gateway, and add port 8080 when configuring Port Mapping.

    Add port 8080 to an existing ingress gateway

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.

    3. On the Ingress Gateway page, click the name of the target gateway. On the Gateway Overview page, in the Basic Options section, click the Port Configuration Dingtalk_20230104170049.jpg icon next to Port Mapping. In the Add Port dialog box, set Protocol to TCP, set Service Port to 8080, and then click Confirm.

    Step 4: Run the gRPC client

    1. Install the grpcurl command-line tool and run the following command:

      grpcurl -d '{"name": "Jack"}' -plaintext {Ingress gateway IP address}:8080 helloworld.Greeter/SayHello

    2. The following output indicates that all requests are routed to istio-grpc-server-v1.

       "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
 "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
 "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
 "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
 "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"

    Step 5: Transfer a specific ratio of the traffic to Istio-grpc-server-v2

    Update the virtual service to route 40% of the traffic to istio-grpc-server-v2 and the remaining 60% to istio-grpc-server-v1.

    1. Edit the virtual service.

      kubectl edit VirtualService grpc-vs

      Modify the route section as follows and save the changes.

      ....
      route:
        - destination:
            host: grpc-helloworld-py
            port:
              number: 50051
            subset: v1
          weight: 60
        - destination:
            host: grpc-helloworld-py
            port:
              number: 50051
            subset: v2
          weight: 40

    2. Continue to use grpcurl to execute the following command to access the gRPC service in the service mesh.

      grpcurl -d '{"name": "Jack"}' -plaintext {Ingress gateway IP address}:8080 helloworld.Greeter/SayHello

      The output indicates that 40% traffic is routed to istio-grpc-server-v2.

      Note

      Your test results may not always show exactly 40 out of 100 requests routed to istio-grpc-server-v2, but the overall ratio will be close to 40%.

      "message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
"message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
"message": "Hello, Jack! I'm from grpc-helloworld-py-v2-7f56b49b7f-9vvr7!"
"message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
"message": "Hello, Jack! I'm from grpc-helloworld-py-v2-7f56b49b7f-9vvr7!"
"message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
"message": "Hello, Jack! I'm from grpc-helloworld-py-v2-7f56b49b7f-9vvr7!"
"message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"
"message": "Hello, Jack! I'm from grpc-helloworld-py-v2-7f56b49b7f-9vvr7!"
"message": "Hello, Jack! I'm from grpc-helloworld-py-v1-79b5dc9654-cg4dq!"