Overview
The Istio CLI can be useful for quickly debugging issues with the experimental Istio addon included with Konvoy.
PLEASE NOTE: Istio is still considered an experimental addon and D2iQ only supports its use in Production in conjunction with our Kaptain product.
Solution
To get started, download the latest isto release which includes istioctl:
curl -L https://istio.io/downloadIstio | sh -Move the istioctl binary to your path:
sudo cp istio-1.8.2/bin/istioctl /usr/local/bin/istioctlSee Istio's official documentation for more info:
https://istio.io/latest/docs/setup/getting-started/#download
If you have a Konvoy cluster running and have already exported your kubeconfig for this cluster, you are now ready to start using istioctl.
The proxy-status command provides a quick glance at the overall health of Istio's mesh:
istioctl proxy-status NAME CDS LDS EDS RDS ISTIOD VERSION istio-ingressgateway-78989b6549-47ts2.istio-system SYNCED SYNCED SYNCED NOT SENT istiod-86bc75d778-vsz26 1.6.11 istio-ingressgateway-78989b6549-plccq.istio-system SYNCED SYNCED SYNCED NOT SENT istiod-86bc75d778-kmdld 1.6.11
The proxy-config command can be used to inspect the Envoy configuration for a given ingress gateway:
istioctl proxy-config cluster -n istio-system
istioctl proxy-config cluster -n istio-system istio-ingressgateway-78989b6549-47ts2.istio-system SERVICE FQDN PORT SUBSET DIRECTION TYPE DESTINATION RULE BlackHoleCluster - - - STATIC agent - - - STATIC alertmanager-operated.kubeaddons.svc.cluster.local 9093 - outbound EDS alertmanager-operated.kubeaddons.svc.cluster.local 9094 - outbound EDS auto-provisioning-cm-metrics.konvoy.svc.cluster.local 443 - outbound EDS auto-provisioning-tfcb.konvoy.svc.cluster.local 443 - outbound EDS
For more information about debugging Envoy see the official documentation here:
https://istio.io/latest/docs/ops/diagnostic-tools/proxy-cmd/
The istioctl analyze command can be used to check the live configuration in your Konvoy cluster and give you helpful diagnostic info:
istioctl analyze Warning [IST0002] (CustomResourceDefinition clusterrbacconfigs.rbac.istio.io) Deprecated: Custom resource type rbac.istio.io ClusterRbacConfig is removed Warning [IST0002] (CustomResourceDefinition rbacconfigs.rbac.istio.io) Deprecated: Custom resource type rbac.istio.io RbacConfig is removed Warning [IST0002] (CustomResourceDefinition servicerolebindings.rbac.istio.io) Deprecated: Custom resource type rbac.istio.io ServiceRoleBinding is removed Warning [IST0002] (CustomResourceDefinition serviceroles.rbac.istio.io) Deprecated: Custom resource type rbac.istio.io ServiceRole is removed Info [IST0102] (Namespace default) The namespace is not enabled for Istio injection. Run 'kubectl label namespace default istio-injection=enabled' to enable it, or 'kubectl label namespace default istio-injection=disabled' to explicitly mark it as not needing injection.
In the example output, we can see that that istio-proxy injection isn't enabled in the default namespace, and includes information on how to enable it.