Route traffic from Cloud Run Services to Cloud Service Mesh workloads on GKE

This product or feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA products and features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

This page shows you how to securely route network traffic fromCloud Run Services to Cloud Service Mesh workloads onGKE to use Istio APIs and make use of a fully-managed Envoysidecar.

Before you begin

The following sections assume that you have aGKE cluster with Cloud Service Mesh enabled.

If you don't have a GKE Service deployed, use the followingcommand to deploy a sample service:

cat<<EOF >/tmp/service.yamlapiVersion:v1kind:Servicemetadata:name:adsspec:ports:-port:9999targetPort:8000selector:run:adstype:ClusterIP---apiVersion:apps/v1kind:Deploymentmetadata:name:adsspec:replicas:1selector:matchLabels:run:adstemplate:metadata:labels:run:adsspec:containers:-image:docker.io/waip/simple-http:v1.0.1name:my-http2-svcports:-protocol:TCPcontainerPort:8000securityContext:fsGroup:1337EOFkubectlapply-f/tmp/service.yaml

Configure a Custom Domain forVirtualService hosts

Avirtual servicedefines traffic routing rules. Any matched traffic is then sent to a nameddestination service

1. Create a new managed zone:

   gclouddnsmanaged-zonescreateZONE_NAME\--description="zone for service mesh routes"\--dns-name=DNS_SUFFIX.\--networks=default\--visibility=private

   where:

   • ZONE_NAME is a name for your zone (example: 'prod').
   • DNS_SUFFIX is any valid DNS host (example: 'mesh.private').

2. Create a resource record set:

   IP=10.0.0.1gclouddnsrecord-setscreate'*.'"DNS_SUFFIX."--type=A--zone="ZONE_NAME"\--rrdatas=10.0.0.1--ttl3600

   Ensure the IP (RFC 1918 required) is unused. Alternatively,reserve a static internal IP.

3. Export aVirtualService for External Cloud Run Clients:

   cat<<EOF >virtual-service.yamlapiVersion:networking.istio.io/v1alpha3kind:VirtualServicemetadata:name:VIRTUAL_SERVICE_NAMEnamespace:NAMESPACEspec:hosts:-GKE_SERVICE_NAME.DNS_SUFFIXgateways:-external-meshhttp:-route:-destination:host:GKE_SERVICE_NAMEEOFkubectlapply-fvirtual-service.yaml

   where:

   • VIRTUAL_SERVICE_NAME is a name for yourVirtualService.
   • NAMESPACE isdefault if you're using the provided exampleservice; otherwise, replaceNAMESPACE with your namespace name.
   • GKE_SERVICE_NAME isads if you're using the provided exampleservice; otherwise, replaceGKE_SERVICE_NAME with a name foryour GKE service.

While it is feasible to add anexternal-mesh gateway as a target to apre-existingVirtualService, you should establish a distinctVirtualServiceto export a Kubernetes service to external Cloud Run clients. Having aseparateVirtualService facilitates the management of exported services andtheir configurations without affecting existing GKE clients.Additionally, some fields inVirtualServices are disregarded for mesh externalVirtualServices but continue to function as anticipated for GKEservices. So managing and troubleshootingVirtualServices separately may beadvantageous.

For GKE clients to also receive theVirtualService configuration,themesh ormesh/default gateway must be added.

The mesh externalVirtualService must be defined in the same namespace as theKubernetes Service in theVirtualService destination.

Configure a Cloud Run Service to join a service mesh

To join a Cloud Run Service to a service mesh, perform the following steps:

1. Determine the mesh ID backing the Cloud Service Mesh GKEcluster:

   MESH=$(kubectlgetcontrolplanerevision--namespaceistio-system-ojson|jq-r'.items[0].metadata.annotations["mesh.cloud.google.com/external-mesh"]')

2. Deploy a Cloud Run Service using the mesh ID, making sure to also connect tothe cluster's VPC network:

   gcloudalpharundeploy--mesh"$MESH"--networkdefault\mesh-svc--image=fortio/fortio\--region=REGION--project=PROJECT_ID--no-allow-unauthenticated

3. Verify that the Cloud Run service is able to send a request to theGKE workload:

   TEST_SERVICE_URL=$(gcloudrunservicesdescribemesh-svc--regionREGION--format="value(status.url)"--project=PROJECT_ID)curl-H"Authorization: Bearer$(gcloudauthprint-identity-token)""$TEST_SERVICE_URL/fortio/fetch/GKE_SERVICE_NAME.DNS_SUFFIX"

   The output should be a valid HTTP 200 response.

Troubleshooting

This section shows you how to troubleshoot common errors withCloud Service Mesh and Cloud Run.

Cloud Run Sidecar Logs

Envoy errors are logged in Cloud Logging.

For example an error such as the following will be logged if theCloud Run service account is not given the trafficdirector client rolein the mesh project:

StreamAggregatedResourcesgRPCconfigstreamtotrafficdirector.googleapis.com:443closed:7,Permission'trafficdirector.networks.getConfigs'deniedonresource'//trafficdirector.googleapis.com/projects/525300120045/networks/mesh:test-mesh/nodes/003fb3e0c8927482de85f052444d5e1cd4b3956e82b00f255fbea1e114e1c0208dbd6a19cc41694d2a271d1ab04b63ce7439492672de4499a92bb979853935b03d0ad0'(oritmaynotexist).

CSDS

The trafficdirector client state can be retrieved using CSDS:

gcloudalphacontainerfleetmeshdebugproxy-status--membership=<CLUSTER_MEMBERSHIP>--location=<CLUSTER_LOCATION>ExternalClients:....

What's next

• Route traffic from Cloud Service Mesh workloads to Cloud Run Services