Egressgateway enable to see the requests in the log

Question

I am following the istio 1.6 documentation example.

I have deployed a ServiceEntry:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: cnn
spec:
  hosts:
  - edition.cnn.com
  ports:
  - number: 80
    name: http-port
    protocol: HTTP
  - number: 443
    name: https
    protocol: HTTPS
  resolution: DNS

The Gateway and destination rule:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: istio-egressgateway
spec:
  selector:
    istio: egressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - edition.cnn.com
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: egressgateway-for-cnn
spec:
  host: istio-egressgateway.istio-system.svc.cluster.local
  subsets:
  - name: cnn

and the VirtualService:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: direct-cnn-through-egress-gateway
spec:
  hosts:
  - edition.cnn.com
  gateways:
  - istio-egressgateway
  - mesh
  http:
  - match:
    - gateways:
      - mesh
      port: 80
    route:
    - destination:
        host: istio-egressgateway.istio-system.svc.cluster.local
        subset: cnn
        port:
          number: 80
      weight: 100
  - match:
    - gateways:
      - istio-egressgateway
      port: 80
    route:
    - destination:
        host: edition.cnn.com
        port:
          number: 80
      weight: 100

Everything like it is in the tutorial, then I ran:

 kubectl exec -it $SOURCE_POD -c sleep -- curl -sL -o /dev/null -D - http://edition.cnn.com/politics

However, in step 6:

Check the log of the istio-egressgateway pod for a line corresponding to our request. If Istio is deployed in the istio-system namespace, the command to print the log is:

$ kubectl logs -l istio=egressgateway -c istio-proxy -n istio-system | tail

You should see a line similar to the following:

[2019-09-03T20:57:49.103Z] "GET /politics HTTP/2" 301 - "-" "-" 0 0 90 89 "10.244.2.10" "curl/7.64.0" "ea379962-9b5c-4431-ab66-f01994f5a5a5" "edition.cnn.com" "151.101.65.67:80" outbound|80||edition.cnn.com - 10.244.1.5:80 10.244.2.10:50482 edition.cnn.com -

I cannot see anything in my logs, it looks like the traffic is not getting passed by the egressgateway. What am I doing wrong, I am basically following the same steps as the tutorial

Answer 1

https://istio.io/latest/docs/tasks/observability/logs/access-log/#enable-envoys-access-logging

Istio offers a few ways to enable access logs. Use of the Telemetry API is recommended.

$ kubectl apply -f - <<EOF
apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
  name: mesh-default
  namespace: istio-system
spec:
  accessLogging:
    - providers:
      - name: envoy
EOF

Or using Mesh Config:

$ istioctl install <flags-you-used-to-install-Istio> --set meshConfig.accessLogFile=/dev/stdout

This is a part of my istio mesh config:

  meshConfig:
    accessLogFile: /dev/stdout
    outboundTrafficPolicy:
      mode: REGISTRY_ONLY
  profile: demo
  tag: 1.17.1

Answer 2

I managed to reproduce your issue. It seems you skipped the Enable Envoy’s access logging mentioned in Before you begin section.

what you need to do is to issue the command

istioctl install --set profile=demo --set meshConfig.accessLogFile="/dev/stdout"

then send the request again

kubectl exec -it $SOURCE_POD -c sleep -- curl -sL -o /dev/null -D - https://edition.cnn.com/politics

and check the logs

kubectl logs -l istio=egressgateway -n istio-system

after doing all that, I see in my logs

...
[2021-05-14T05:51:41.940Z] "GET /politics HTTP/2" 301 - "-" "-" 0 0 23 22 "10.4.2.6" "curl/7.69.1" "fc2903d6-904c-91ce-bfde-24f395db67eb" "edition.cnn.com" "151.101.65.67:80" outbound|80||edition.cnn.com 10.4.0.10:57078 10.4.0.10:8080 10.4.2.6:36238 - -