Add-ons
Troubleshoot Gloo add-ons that extend the functionality of your setup.
External auth service
With the external auth service, you can protect your APIs by enforcing auth. For more information, see External authentication and authorization.
Check that the pod is running. Note that your add-ons might exist in the
gloo-mesh-addons
namespace instead.kubectl get po -n gloo-mesh -l app=ext-auth-service
Make sure that you created all of the external auth-related custom resources, such as server and policy configs.
kubectl get extauthpolicies,extauthserver -A
Check that the
AuthConfig
internal custom resource is created and in an Accepted state.kubectl get authconfigs -A
To get detailed logs for the external auth service, change the log level to
DEBUG
.- Edit the external auth service.
kubectl get deploy -n gloo-mesh ext-auth-service -o yaml > ext-auth.yaml
- In the
spec.container.env
section, find theLOG_LEVEL
environment variable and set it toDEBUG
.... spec: containers: - env: - name: LOG_LEVEL value: DEBUG
- Apply the updated configuration.
kubectl apply -f ext-auth.yaml
- Make sure that the external auth service pod restarts.
kubectl get po -n gloo-mesh -l app=ext-auth-service
- Optional: To generate fresh logs, send a request to a service that is protected by an external auth policy.
- Edit the external auth service.
Check the logs of the Gloo external auth server in your workload cluster.
kubectl logs -n gloo-mesh pods/$(kubectl get pod -l app=ext-auth-service -A -o jsonpath='{.items[0].metadata.name}')
Optionally, you can format the output with
jq
or save it in a local file so that you can read and analyze the output more easily.kubectl logs -n gloo-mesh pods/$(kubectl get pod -l app=ext-auth-service -A -o jsonpath='{.items[0].metadata.name}') > ext-auth-service.json
If you enabled the OPA server sidecar, check that the OPA server is healthy. If the OPA server is not healthy, try the OPA troubleshooting docs. Common errors include misconfiguration such as the wrong credentials to download a bundle. Note the following example command pipes the output to
jq
for readability.kubectl logs -n gloo-mesh deploy/ext-auth-service -c opa-auth | jq
Rate limiter
With the rate limiter, you can protect your APIs by enforcing limits on the number of requests within a certain timeframe, such as 100 requests per minute. For more information, see Rate limiting.
- Check that the pod is running. Note that your add-ons might exist in the
gloo-mesh-addons
namespace instead.kubectl get po -n gloo-mesh -l app=rate-limiter
- Make sure that you created all of the rate limiting-related custom resources, such as server and client configs.
kubectl get ratelimitserverconfigs,RatelimitConfigs,ratelimitserversettings,ratelimitclientconfigs,ratelimitpolicies -A
- Check the logs of the Gloo rate limiter in your workload cluster. To view logs recorded since a relative duration such as 5s, 2m, or 3h, you can specify the
--since <duration>
flag.Optionally, you can format the output withmeshctl logs rate-limiter -l error [--since DURATION]
jq
or save it in a local file so that you can read and analyze the output more easily.meshctl logs rate-limiter -l error > rate-limiter-logs.json
Gloo Portal
To debug the Gloo Portal, see the Portal troubleshooting section.