(dubbo-kubernetes) branch master updated: Update grpc sample readme (#826)

Sat, 22 Nov 2025 07:03:50 -0800 

This is an automated email from the ASF dual-hosted git repository.

zhongxjian pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/dubbo-kubernetes.git


The following commit(s) were added to refs/heads/master by this push:
     new 50b9e8ba Update grpc sample readme (#826)
50b9e8ba is described below

commit 50b9e8badadcd5d6d4f0d6e3d44b144593f316a0
Author: mfordjody <[email protected]>
AuthorDate: Sat Nov 22 23:03:35 2025 +0800

    Update grpc sample readme (#826)
---
 samples/grpc-app/README.md | 147 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 147 insertions(+)

diff --git a/samples/grpc-app/README.md b/samples/grpc-app/README.md
index 15629269..67383db3 100644
--- a/samples/grpc-app/README.md
+++ b/samples/grpc-app/README.md
@@ -142,6 +142,153 @@ kubectl exec <pod-name> -c app -n grpc-app -- cat 
/etc/dubbo/proxy/grpc-bootstra
 kubectl logs <pod-name> -c dubbo-proxy -n grpc-app | grep -i xds
 ```
 
+## Traffic Management
+
+### Creating subsets with SubsetRule
+
+First, create a subset for each version of the workload to enable traffic 
splitting:
+
+```bash
+cat <<EOF | kubectl apply -f -
+apiVersion: networking.dubbo.apache.org/v1
+kind: SubsetRule
+metadata:
+  name: producer-versions
+  namespace: grpc-app
+spec:
+  host: producer.grpc-app.svc.cluster.local
+  subsets:
+  - name: v1
+    labels:
+      version: v1
+  - name: v2
+    labels:
+      version: v2
+EOF
+```
+
+### Traffic shifting
+
+Using the subsets defined above, you can send weighted traffic to different 
versions. The following example sends 20% of traffic to v1 and 80% to v2:
+
+```bash
+cat <<EOF | kubectl apply -f -
+apiVersion: networking.dubbo.apache.org/v1
+kind: ServiceRoute
+metadata:
+  name: producer-weights
+  namespace: grpc-app
+spec:
+  hosts:
+  - producer.grpc-app.svc.cluster.local
+  http:
+  - route:
+    - destination:
+        host: producer.grpc-app.svc.cluster.local
+        subset: v1
+      weight: 20
+    - destination:
+        host: producer.grpc-app.svc.cluster.local
+        subset: v2
+      weight: 80
+EOF
+```
+
+Now, send a set of 10 requests to verify the traffic distribution:
+
+```bash
+grpcurl -plaintext -d '{"url": 
"xds:///producer.grpc-app.svc.cluster.local:7070", "count": 10}' 
localhost:17171 echo.EchoTestService/ForwardEcho | jq -r '.output | join("")' | 
grep ServiceVersion
+```
+
+The response should contain mostly `v2` responses, demonstrating the weighted 
traffic splitting:
+
+```plain
+[0 body] ServiceVersion=v2
+[1 body] ServiceVersion=v2
+[2 body] ServiceVersion=v1
+[3 body] ServiceVersion=v2
+[4 body] ServiceVersion=v1
+[5 body] ServiceVersion=v2
+[6 body] ServiceVersion=v2
+[7 body] ServiceVersion=v2
+[8 body] ServiceVersion=v2
+[9 body] ServiceVersion=v2
+```
+
+## Enabling mTLS
+
+Due to the changes to the application itself required to enable security in 
gRPC, Dubbo Kubernetes's traditional method of automatically detecting mTLS 
support is unreliable. For this reason, the initial release requires explicitly 
enabling mTLS on both the client and server.
+
+### Enable client-side mTLS
+
+To enable client-side mTLS, apply a `SubsetRule` with `tls` settings:
+
+```bash
+cat <<EOF | kubectl apply -f -
+apiVersion: networking.dubbo.apache.org/v1
+kind: SubsetRule
+metadata:
+  name: producer-mtls
+  namespace: grpc-app
+spec:
+  host: producer.grpc-app.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: ISTIO_MUTUAL
+EOF
+```
+
+Now an attempt to call the server that is not yet configured for mTLS will 
fail:
+
+```bash
+grpcurl -plaintext -d '{"url": 
"xds:///producer.grpc-app.svc.cluster.local:7070"}' localhost:17171 
echo.EchoTestService/ForwardEcho | jq -r '.output | join("")'
+```
+
+Expected error output:
+```json
+{
+  "output": [
+    "ERROR:\nCode: Unknown\nMessage: 1/1 requests had errors; first error: rpc 
error: code = Unavailable desc = all SubConns are in TransientFailure"
+  ]
+}
+```
+
+### Enable server-side mTLS
+
+To enable server-side mTLS, apply a `PeerAuthentication` policy. The following 
policy forces STRICT mTLS for the entire namespace:
+
+```bash
+cat <<EOF | kubectl apply -f -
+apiVersion: security.dubbo.apache.org/v1
+kind: PeerAuthentication
+metadata:
+  name: producer-mtls
+  namespace: grpc-app
+spec:
+  mtls:
+    mode: STRICT
+EOF
+```
+
+Requests will start to succeed after applying the policy:
+
+```bash
+grpcurl -plaintext -d '{"url": 
"xds:///producer.grpc-app.svc.cluster.local:7070"}' localhost:17171 
echo.EchoTestService/ForwardEcho | jq -r '.output | join("")'
+```
+
+Expected successful output:
+```json
+{
+  "output": [
+    "[0 body] Hostname=producer-v2-594b6977c8-5gw2z ServiceVersion=v2 
Namespace=grpc-app IP=192.168.219.88 ServicePort=17070",
+    "[1 body] Hostname=producer-v2-594b6977c8-5gw2z ServiceVersion=v2 
Namespace=grpc-app IP=192.168.219.88 ServicePort=17070",
+    "[2 body] Hostname=producer-v2-594b6977c8-5gw2z ServiceVersion=v2 
Namespace=grpc-app IP=192.168.219.88 ServicePort=17070",
+    "[3 body] Hostname=producer-v2-594b6977c8-5gw2z ServiceVersion=v2 
Namespace=grpc-app IP=192.168.219.88 ServicePort=17070",
+    "[4 body] Hostname=producer-v1-fbb7b9bd9-l8frj ServiceVersion=v1 
Namespace=grpc-app IP=192.168.219.119 ServicePort=17070"
+  ]
+}
+```
+
 ## Cleanup
 
 ```bash

Reply via email to