Use delegates to configure virtual services in an ASM instance - Alibaba Cloud Service Mesh

When you use a virtual service to define routing rules for a service that contains multiple microservices or routing rules, the virtual service is complex, which brings much maintenance work. To reduce risks brought by changes in routing rules, Alibaba Cloud Service Mesh (ASM) introduces delegates to manage routing rules in a more fine-grained manner. This topic shows you how to use multiple virtual services to define routing rules for a service. The Bookinfo application is used as an example.

Prerequisites

An ASM instance is created. For more information, see Create an ASM instance.

Note The ASM instance must be v1.8.6.4-g814070fe-aliyun or later.
An ACK managed cluster is created. For more information, see Create an ACK managed cluster.
The cluster is added to the ASM instance. For more information, see Add a cluster to an ASM instance.
An ingress gateway service is deployed. For more information, see Deploy an ingress gateway service.
An application is deployed in the ACK cluster that is added to the ASM instance. For more information, see Deploy an application in an ASM instance.

Background information

In an ASM instance, a virtual service is used to define routing rules for a service. The routing rules control the traffic routing of the service. In actual scenarios, you may need to maintain a complex virtual service. Each time you modify the routing rules that are defined by the virtual service, you must modify the virtual service. After the routing rules are modified, the routing rules may conflict with each other, specific routing rules may be redundant, or the routing rules may be coupled with each other. Configuration errors of routing rules may affect the services that are deployed in the cluster on the data plane or even make all services inaccessible.

ASM introduces delegates to extend the configuration of virtual services, which allows you to decouple routing rules that are defined for a service. You can split a virtual service into a primary virtual service and multiple secondary virtual services. The primary virtual service defines the overall routing rules of a service. Each secondary virtual service defines a detailed routing rule of the service. The primary virtual service is maintained by administrators, while the secondary virtual services are maintained by service maintainers. This greatly reduces risks that are brought by changes in routing rules and improves the efficiency of independent service deployment and updates.

Usage notes

You can set delegate parameters only in a primary virtual service. If you set delegate parameters both in a primary virtual service and secondary virtual services, the primary virtual service and secondary virtual services do not take effect.
The HTTPMatchRequest configuration in secondary virtual services must be a subset of that in the primary virtual service. Otherwise, a conflict exists, and the HTTPRoute configuration does not take effect.
Delegate parameters can be specified only when the route and redirect parameters in the primary virtual service are left empty. The hosts parameter in secondary virtual services must be left empty. The routing rules that are defined by secondary virtual services are combined with the routing rules that are defined by the primary virtual service.

Step 1: Configure an Istio gateway

Log on to the ASM console.
In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
On the details page of the ASM instance, choose ASM Gateways > Gateway in the left-side navigation pane. On the Gateway page, click Create from YAML.
On the Create page, select a namespace from the Namespace drop-down list, copy the following content to the code editor, and then click Create. In this example, the default namespace is used.
```
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: bookinfo-gateway
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
```
Set the number parameter to 80. This setting specifies that the Bookinfo application can receive inbound or outbound HTTP connections by using port 80.

Step 2: Configure a primary virtual service

Log on to the ASM console.
In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
On the details page of the ASM instance, choose Traffic Management Center > VirtualService in the left-side navigation pane. On the VirtualService page, click Create from YAML.
On the Create page, select a namespace from the Namespace drop-down list, copy the following content to the code editor, and then click Create. In this example, the default namespace is used.
The following content can be used to create a vs-1 delegate and a vs-2 delegate. The vs-1 delegate specifies that only request URLs that contain /log can be used to access the Bookinfo application. The vs-2 delegate specifies that only request URLs that contain / can be used to access the Bookinfo application.
```
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: bookinfo
  namespace: default
spec:
  gateways:
    - bookinfo-gateway
  hosts:
    - '*'
  http:
    - delegate:
        name: vs-1
        namespace: ns1
      match:
        - uri:
            prefix: /log
    - delegate:
        name: vs-2
        namespace: ns1
      match:
        - uri:
            prefix: /
```
Description of the delegate parameter:
- name: the name of delegate.
- namespace: the namespace of delegate.

Step 3: Configure secondary virtual services

Log on to the ASM console.
In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
On the details page of the ASM instance, choose Traffic Management Center > VirtualService in the left-side navigation pane. On the VirtualService page, click Create from YAML.
On the Create page, select a namespace from the Namespace drop-down list, copy the following content to the code editor, and then click Create. In this example, the ns1 namespace is used.
```
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: vs-1
  namespace: ns1
spec:
  http:
    - match:
        - uri:
            exact: /login
        - uri:
            exact: /logout
      route:
        - destination:
            host: productpage.default.svc.cluster.local
            port:
              number: 9080
```
- metadata: associates the secondary virtual service with a delegate in the primary virtual service. The settings of metadata must be the same as those of a delegate in the primary virtual service. In this substep, the settings of metadata are the same as those of the vs-1 delegate. This means that the secondary virtual service is associated with the vs-1 delegate.
- match: specifies filter conditions for HTTP requests. In this substep, the uri field is set to exact: /login and exact: /logout. This setting specifies that you can log on to or log off from the Bookinfo application.
Repeat Substep 5. On the Create page, select a namespace from the Namespace drop-down list, copy the following content to the code editor, and then click Create.
```
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: vs-2
  namespace: ns1
spec:
  http:
    - match:
        - uri:
            exact: /productpage
        - uri:
            prefix: /static
        - uri:
            prefix: /api/v1/products
      route:
        - destination:
            host: productpage.default.svc.cluster.local
            port:
              number: 9080
```
- metadata: associates the secondary virtual service with a delegate in the primary virtual service. The settings of metadata must be the same as those of a delegate in the primary virtual service. In this substep, the settings of metadata are the same as those of the vs-2 delegate. This means that the secondary virtual service is associated with the vs-2 delegate.
- match: specifies filter conditions for HTTP requests. In this substep, the setting specifies that only request URLs that contain /productpage or start with /static or /api/v1/products can be used to access the Bookinfo application.

Step 4: Query the IP address of the ingress gateway

Log on to the ACK console.
In the left-side navigation pane of the ACK console, click Clusters.
On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
In the left-side navigation pane of the details page, choose Network > Services
At the top of the Services page, select istio-system from the Namespace drop-down list. Find the ingress gateway that is named istio-ingressgateway and view the IP address whose port is 80 in the External Endpoint column.

Verify the result

Enter http://<IP address of the ingress gateway>/productpage in the address bar of a browser. The following page appears. This means that the Bookinfo application is accessed by using the request URL that contains /productpage. The result indicates that the secondary virtual service that is associated with the vs-2 delegate takes effect. Service

Click Sign in in the upper-right corner. In the dialog box that appears, enter the username and password to log on to the Bookinfo application. The following page appears. This means that you have logged on to the Bookinfo application. The result indicates that the secondary virtual service that is associated with the vs-1 delegate takes effect. Click Sign in