Apigee-Istio Adapater not working

[ramjivenkat]

Hi,

I have k8s version 1.11 and using istio 1.1.12.
Deployed the bookinfo application and was working fine.
Installed apigee adapter 1.4.1 version.

I have followed all the instructions from https://docs.apigee.com/api-platform/istio-adapter/install-istio_1_1#install_a_test_service

Without api key, helloworld application is working fine.
With api key, the authentication is not applying and I am the actual response directly.

Followed this issues as well
#286 there seems to be no error.
https://github.com/apigee/istio-mixer-adapter/wiki/Debug-Authorization-check-in-Istio-1.1.x I can able to fetch the exact responses that where given.

Divergence: When creating the API product, I couldn't find Custom resources as described in the tutorial. There is only API resources, where I added the istio-auth proxy and the / path as the tutorial says

[theganyo]

Turn on debugging on the adapter and check the logs. It sounds like it's not being called by Istio for some reason.

Also: The divergence you encountered in the UI for being able to add an "Istio Service" is because we're transitioning to a new model (see: https://docs.apigee.com/api-platform/envoy-adapter/concepts). For the Istio Adapter, use https://docs.apigee.com/api-platform/istio-adapter/reference#binding_commands instead of the API Product UI.

[theganyo]

It looks like everything is registered correctly but the adapter's not being called. Check:

1. That you have a sidecar on the target
2. That you have the rule that applies to that target.

[ramjivenkat]

Yes I have a sidecar on the targer and have 2 instance of the app is running.

Yes the rule file actually applies to the target.

After some modifications I got authentication error but my adapter logs is throwing error. For reference I have added the adapter log file here. Still there is no success responses. Tried all the methods and atlast now adapter is throwing error.
apigee-adapter logs.txt

This is my rule.yaml file. Since I have deployed my helloworld application in isito-system namespace as per the documentation(https://docs.apigee.com/api-platform/istio-adapter/install-istio_1_1).

[theganyo]

This rule is going to limit inbound for all services in istio-system. Not what you want. Try changing the rule to limit it to your helloworld. For example, add this to the match: destination.service.name == "helloworld"

[ramjivenkat]

Modified the rule file

Even after changing the rule and addding the authorization Still it throws the error.

~/apigee-istio-adapter$ curl http://$HELLOWORLD_URL/hello -H "x-api-key: Consumer Key "
INTERNAL:performing check operation failed: 1 error occurred:%0A%0A rpc error: code = DeadlineExceeded desc = context deadline exceeded(base)*

after three hits getting this error

curl http://$HELLOWORLD_URL/hello -H "x-api-key: Consumer Key"
PERMISSION_DENIED:apigee-handler.handler.istio-system:internal error(base)

If give this command, no templates are gettting displayed.

kubectl get templates

[theganyo]

For some reason the adapter service is unable to reach Apigee. I’m not sure why that is... do you have a firewall or egress rules that prevent the communication?

[ramjivenkat]

Hi,

There is no firewall issue. All the ports are been opened.

For reference I have attached the egress logs.
egress-gateway logs.txt

Inside the pilot logs, these both error appears
2020-07-13T03:48:39.838469Z error mcp Error receiving MCP resource: rpc error: code = Unavailable desc = transport is closing
2020-07-13T03:48:39.838491Z error mcp Error receiving MCP response: rpc error: code = Unavailable desc = transport is closing

[theganyo]

If you have an active egress, you'll need to make sure you have proper rules in place to allow the adapter to access the Apigee proxy.