On this page

Add-ons

Troubleshoot Gloo add-ons that extend the functionality of your setup.

External auth service

With the external auth service, you can protect your APIs by enforcing auth. For more information, see External authentication and authorization.

Check that the pod is running. Note that your add-ons might exist in the gloo-mesh-addons namespace instead.
```
  kubectl get po -n gloo-mesh -l app=ext-auth-service
  
```
Make sure that you created all of the external auth-related custom resources, such as server and policy configs.
```
  kubectl get extauthpolicies,extauthserver -A
  
```
Check that the AuthConfig internal custom resource is created and in an Accepted state.
```
  kubectl get authconfigs -A
  
```
To get detailed logs for the external auth service, change the log level to DEBUG.
1. Edit the external auth service.
```
  kubectl get deploy -n gloo-mesh ext-auth-service -o yaml > ext-auth.yaml
  
```
2. In the spec.container.env section, find the LOG_LEVEL environment variable and set it to DEBUG.
```
  ...
spec:
  containers:
  - env:
    - name: LOG_LEVEL
      value: DEBUG
  
```
3. Apply the updated configuration.
```
  kubectl apply -f ext-auth.yaml
  
```
4. Make sure that the external auth service pod restarts.
```
  kubectl get po -n gloo-mesh -l app=ext-auth-service
  
```
5. Optional: To generate fresh logs, send a request to a service that is protected by an external auth policy.

Check the logs of the Gloo external auth server in your workload cluster.

  kubectl logs -n gloo-mesh pods/$(kubectl get pod -l app=ext-auth-service -A -o jsonpath='{.items[0].metadata.name}')

Optionally, you can format the output with jq or save it in a local file so that you can read and analyze the output more easily.

  kubectl logs -n gloo-mesh pods/$(kubectl get pod -l app=ext-auth-service -A -o jsonpath='{.items[0].metadata.name}') > ext-auth-service.json

If you enabled the OPA server sidecar, check that the OPA server is healthy. If the OPA server is not healthy, try the OPA troubleshooting docs. Common errors include misconfiguration such as the wrong credentials to download a bundle. Note the following example command pipes the output to jq for readability.
```
  kubectl logs -n gloo-mesh deploy/ext-auth-service -c opa-auth | jq
  
```

Rate limiter

With the rate limiter, you can protect your APIs by enforcing limits on the number of requests within a certain timeframe, such as 100 requests per minute. For more information, see Rate limiting.

Check that the pod is running. Note that your add-ons might exist in the gloo-mesh-addons namespace instead.
```
  kubectl get po -n gloo-mesh -l app=rate-limiter
  
```

Make sure that you created all of the rate limiting-related custom resources, such as server and client configs.

  kubectl get ratelimitserverconfigs,RatelimitConfigs,ratelimitserversettings,ratelimitclientconfigs,ratelimitpolicies -A

Check that the RateLimitConfig internal resource is created. This internal resource configures the rate limiter.
```
  kubectl get RateLimitConfig -A
  
```
If the RateLimitConfig is missing or incorrect:
- Check the status of the RateLimitServerConfig for any error messages.
- Check the logs of the mgmt-server such as with meshctl logs mgmt -l error --kubecontext ${MGMT_CONTEXT}. Make sure that your workload cluster is connected and that you do not have any translation errors.
Check the logs of the Gloo rate limiter in your workload cluster. To view logs recorded since a relative duration such as 5s, 2m, or 3h, you can specify the --since <duration> flag.
```
  meshctl logs rate-limiter -l error [--since DURATION]
  
```
Optionally, you can format the output with jq or save it in a local file so that you can read and analyze the output more easily.
```
  meshctl logs rate-limiter -l error > rate-limiter-logs.json
  
```
Open the debug interface for the rate limiter.
1. Enable port-forwarding for the rate limiter.
```
  kubectl port-forward -n gloo-mesh svc/rate-limiter 9091:9091
  
```
2. In your browser, open http://localhost:9091/. You see a page similar to the following image.
  Figure: Rate limiter debug page
  Figure: Rate limiter debug page
3. Click rlconfig. Verify that the config includes the descriptor details that you set up in the RateLimitServerConfig. If not, check the configuration details of your rate limit resources. Common errors include missing namespaces or incorrect names.
```
  
domain: solo.io
  rateLimitTreeDescriptor:
  setDescriptors:
    - solo.io|generic_key^counter|generic_key^gloo-mesh.rl-server-config|generic_key^solo.setDescriptor.uniqueValue: unit=DAY requests_per_unit=3 always_apply=false
  
```
4. From the debug page, click logging. You might see messages similar to the following.
  - "msg":"rate limit request": The rate limiter received a request. You can review more details such as the descriptors in the rest of the log.
  - "msg":"Rate limit rule violated": The request exceeded the rate limit, such as exceeding the count. As such, the request gets rejected.

Add-ons

External auth service link

Rate limiter link

External auth service

Rate limiter