Custom resources

Sometimes, you might create Gloo resources and expect a certain result, such as a policy applying to traffic or a gateway listening for traffic. If you do not get the expected result, try the following general debugging steps.

  1. Check the Gloo resources in your management and remote clusters. You might find the following commands useful.

    You can list all of the Gloo custom resource.

    kubectl get solo-io -A

    You can also export them to a YAML file and open with your favorite editor to search or update the configurations.

    kubectl get solo-io -A -o yaml > gloo-resources.yaml

    You can use another tool like grep to search for certain information within all the Gloo resources, such as to verify that the resources are all ACCEPTED.

    kubectl get solo-io -A -o yaml | grep 'state'
    kubectl get apidocs,apischemadiscoveries,workspaces,workspacesettings,roottrustpolicies,dashboards,kubernetesclusters -A
    kubectl get ratelimitserverconfigs,RatelimitConfigs,ratelimitserversettings,ratelimitclientconfigs,ratelimitpolicies,wasmdeploymentpolicies,externalendpoints,externalservices,accesslogpolicies,activehealthcheckpolicies,failoverpolicies,faultinjectionpolicies,listenerconnectionpolicies,loadbalancerpolicies,outlierdetectionpolicies,jwtpolicies,wafpolicies,retrytimeoutpolicies,accesspolicies,connectionpolicies,corspolicies,csrfpolicies,dlppolicies,extauthpolicies,mirrorpolicies,transformationpolicies,authorizationpolicies,extauthserver,headermanipulationpolicies,proxyprotocolpolicies,trimproxyconfigpolicies,adaptiverequestconcurrencypolicies -A
    kubectl get virtualgateways,routetables,virtualdestinations,virtualservices,externalservices,externalendpoints,externalworkloads -A
    kubectl get cloudproviders,cloudresources -A
    kubectl get apidocs,apischemadiscoveries,graphqlresolvermaps,graphqlschemas,graphqlstitchedschemas -A
    kubectl get gatewaylifecyclemanagers,istiolifecyclemanagers -A
    kubectl get apidocs,apischemadiscoveries,extauthpolicies,extauthserver,portals,portalconfigs,ratelimitserverconfigs,ratelimitconfigs,ratelimitserversettings,ratelimitclientconfigs,ratelimitpolicies,routetables -A

  2. Describe the resource, and look at the global status, events, and other areas for more information.

    kubectl describe virtualgateway $GATEWAY_NAME -n $NAMESPACE
  3. If you see an error or warning in the global status:

    1. Launch the Gloo UI, find the resource in the Resources > Solo page, and click View YAML. You can review workspace and cluster-specific details about the status in the UI.
    2. If the resource seems to work, such as a policy taking effect, even though the status shows up as unhealthy, you might have a Redis state issue. Restart Redis and check if the health status returns to normal.
  4. Verify that the resource is in the workspace that you expect it to be in. You can check the resource's namespace against the namespaces that are included in the workspace resource on the management cluster.

    kubectl describe workspace -n gloo-mesh --context $MGMT_CONTEXT

    In the output, check the Status sections to make sure that the workspace includes each cluster and namespace that you want to be part of the workspace.

        Name:  cluster1
  5. Verify that related resources are in the same workspace, or are exported and imported appropriately. For example, your virtual gateway must be in the same workspace as the route table and policy that you want it to work with.

  6. If applicable, verify that the ports are set up appropriately on the resource and the backing service. For example, your virtual gateway might listen on port 80, which matches the port of the Kubernetes service for the gateway deployment.

  7. Check the logs of the management server in the management cluster for accepted or translated resource messages. You might find common translation errors, such as a resource missing from the expected namespace or cluster. Create the resource or correct the resource configuration, and try again.

  8. Check the logs of agent pods on the remote cluster that the resource is created in.

  9. Check for Gloo resource's translated Istio resources in the same namespace. If the Istio resource exists, describe the resource and make sure that its configuration matches what you expect based on the Gloo resource configuration. If no Istio resource exists, try debugging your Gloo components. For example, your Gloo resources might not belong to the expected Gloo workspace, cluster, or namespace.

  10. If you upgraded Gloo versions recently, make sure that you applied the CRDs as part of the upgrade.

  11. If you continue to see error messages that indicate state reconciliation issues, try restarting the Redis pod.