Ingress Gateways

Along with support for Kubernetes Ingress resources, Istio also allows you to configure ingress traffic using either an Istio Gateway or Kubernetes Gateway resource. A Gateway provides more extensive customization and flexibility than Ingress, and allows Istio features such as monitoring and route rules to be applied to traffic entering the cluster.

This task describes how to configure Istio to expose a service outside of the service mesh using a Gateway.

Istio includes beta support for the Kubernetes Gateway API and intends to make it the default API for traffic management in the future. The following instructions allow you to choose to use either the Gateway API or the Istio configuration API when configuring traffic management in the mesh. Follow instructions under either the Gateway API or Istio classic tab, according to your preference.

Note that the Kubernetes Gateway API CRDs do not come installed by default on most Kubernetes clusters, so make sure they are installed before using the Gateway API:

  1. $ kubectl get crd gateways.gateway.networking.k8s.io &> /dev/null || \
  2. { kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.6.2" | kubectl apply -f -; }

Before you begin

  • Setup Istio by following the instructions in the Installation guide.

    If you are going to use the Gateway API instructions, you can install Istio using the minimal profile because you will not need the istio-ingressgateway which is otherwise installed by default:

    1. $ istioctl install --set profile=minimal
  • Start the httpbin sample, which will serve as the target service for ingress traffic:

    Zip

    1. $ kubectl apply -f @samples/httpbin/httpbin.yaml@

    Note that for the purpose of this document, which shows how to use a gateway to control ingress traffic into your “Kubernetes cluster”, you can start the httpbin service with or without sidecar injection enabled (i.e., the target service can be either inside or outside of the Istio mesh).

Configuring ingress using a gateway

An ingress Gateway describes a load balancer operating at the edge of the mesh that receives incoming HTTP/TCP connections. It configures exposed ports, protocols, etc. but, unlike Kubernetes Ingress Resources, does not include any traffic routing configuration. Traffic routing for ingress traffic is instead configured using routing rules, exactly in the same way as for internal service requests.

Let’s see how you can configure a Gateway on port 80 for HTTP traffic.

Create an Istio Gateway:

  1. $ kubectl apply -f - <<EOF
  2. apiVersion: networking.istio.io/v1alpha3
  3. kind: Gateway
  4. metadata:
  5. name: httpbin-gateway
  6. spec:
  7. # The selector matches the ingress gateway pod labels.
  8. # If you installed Istio using Helm following the standard documentation, this would be "istio=ingress"
  9. selector:
  10. istio: ingressgateway
  11. servers:
  12. - port:
  13. number: 80
  14. name: http
  15. protocol: HTTP
  16. hosts:
  17. - "httpbin.example.com"
  18. EOF

Configure routes for traffic entering via the Gateway:

  1. $ kubectl apply -f - <<EOF
  2. apiVersion: networking.istio.io/v1alpha3
  3. kind: VirtualService
  4. metadata:
  5. name: httpbin
  6. spec:
  7. hosts:
  8. - "httpbin.example.com"
  9. gateways:
  10. - httpbin-gateway
  11. http:
  12. - match:
  13. - uri:
  14. prefix: /status
  15. - uri:
  16. prefix: /delay
  17. route:
  18. - destination:
  19. port:
  20. number: 8000
  21. host: httpbin
  22. EOF

You have now created a virtual service configuration for the httpbin service containing two route rules that allow traffic for paths /status and /delay.

The gateways list specifies that only requests through your httpbin-gateway are allowed. All other external requests will be rejected with a 404 response.

Internal requests from other services in the mesh are not subject to these rules but instead will default to round-robin routing. To apply these rules to internal calls as well, you can add the special value mesh to the list of gateways. Since the internal hostname for the service is probably different (e.g., httpbin.default.svc.cluster.local) from the external one, you will also need to add it to the hosts list. Refer to the operations guide for more details.

Create a Kubernetes Gateway:

  1. $ kubectl apply -f - <<EOF
  2. apiVersion: gateway.networking.k8s.io/v1beta1
  3. kind: Gateway
  4. metadata:
  5. name: httpbin-gateway
  6. spec:
  7. gatewayClassName: istio
  8. listeners:
  9. - name: http
  10. hostname: "httpbin.example.com"
  11. port: 80
  12. protocol: HTTP
  13. allowedRoutes:
  14. namespaces:
  15. from: Same
  16. EOF

In a production environment, a Gateway and its corresponding routes are often created in separate namespaces by users performing different roles. In that case, the allowedRoutes field in the Gateway would be configured to specify the namespaces where routes should be created, instead of, as in this example, expecting them to be in the same namespace as the Gateway.

Because creating a Kubernetes Gateway resource will also deploy an associated proxy service, run the following command to wait for the gateway to be ready:

  1. $ kubectl wait --for=condition=programmed gtw httpbin-gateway

Configure routes for traffic entering via the Gateway:

  1. $ kubectl apply -f - <<EOF
  2. apiVersion: gateway.networking.k8s.io/v1beta1
  3. kind: HTTPRoute
  4. metadata:
  5. name: httpbin
  6. spec:
  7. parentRefs:
  8. - name: httpbin-gateway
  9. hostnames: ["httpbin.example.com"]
  10. rules:
  11. - matches:
  12. - path:
  13. type: PathPrefix
  14. value: /status
  15. - path:
  16. type: PathPrefix
  17. value: /delay
  18. backendRefs:
  19. - name: httpbin
  20. port: 8000
  21. EOF

You have now created an HTTP Route configuration for the httpbin service containing two route rules that allow traffic for paths /status and /delay.

Determining the ingress IP and ports

Every Gateway is backed by a service of type LoadBalancer. The external load balancer IP and ports for this service are used to access the gateway. Kubernetes services of type LoadBalancer are supported by default in clusters running on most cloud platforms but in some environments (e.g., test) you may need to do the following:

  • minikube - start an external load balancer by running the following command in a different terminal:

    1. $ minikube tunnel
  • kind - follow the guide for setting up MetalLB to get LoadBalancer type services to work.

  • other platforms - you may be able to use MetalLB to get an EXTERNAL-IP for LoadBalancer services.

For convenience, we will store the ingress IP and ports in environment variables which will be used in later instructions. Set the INGRESS_HOST and INGRESS_PORT environment variables according to the following instructions:

Set the following environment variables to the name and namespace where the Istio ingress gateway is located in your cluster:

  1. $ export INGRESS_NAME=istio-ingressgateway
  2. $ export INGRESS_NS=istio-system

If you installed Istio using Helm, the ingress gateway name and namespace are both istio-ingress:

  1. $ export INGRESS_NAME=istio-ingress
  2. $ export INGRESS_NS=istio-ingress

Run the following command to determine if your Kubernetes cluster is in an environment that supports external load balancers:

  1. $ kubectl get svc "$INGRESS_NAME" -n "$INGRESS_NS"
  2. NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
  3. istio-ingressgateway LoadBalancer 172.21.109.129 130.211.10.121 ... 17h

If the EXTERNAL-IP value is set, your environment has an external load balancer that you can use for the ingress gateway. If the EXTERNAL-IP value is <none> (or perpetually <pending>), your environment does not provide an external load balancer for the ingress gateway.

If your environment does not support external load balancers, you can try accessing the ingress gateway using node ports. Otherwise, set the ingress IP and ports using the following commands:

  1. $ export INGRESS_HOST=$(kubectl -n "$INGRESS_NS" get service "$INGRESS_NAME" -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
  2. $ export INGRESS_PORT=$(kubectl -n "$INGRESS_NS" get service "$INGRESS_NAME" -o jsonpath='{.spec.ports[?(@.name=="http2")].port}')
  3. $ export SECURE_INGRESS_PORT=$(kubectl -n "$INGRESS_NS" get service "$INGRESS_NAME" -o jsonpath='{.spec.ports[?(@.name=="https")].port}')
  4. $ export TCP_INGRESS_PORT=$(kubectl -n "$INGRESS_NS" get service "$INGRESS_NAME" -o jsonpath='{.spec.ports[?(@.name=="tcp")].port}')

In certain environments, the load balancer may be exposed using a host name, instead of an IP address. In this case, the ingress gateway’s EXTERNAL-IP value will not be an IP address, but rather a host name, and the above command will have failed to set the INGRESS_HOST environment variable. Use the following command to correct the INGRESS_HOST value:

  1. $ export INGRESS_HOST=$(kubectl -n "$INGRESS_NS" get service "$INGRESS_NAME" -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')

Get the gateway address and port from the httpbin gateway resource:

  1. $ export INGRESS_HOST=$(kubectl get gtw httpbin-gateway -o jsonpath='{.status.addresses[0].value}')
  2. $ export INGRESS_PORT=$(kubectl get gtw httpbin-gateway -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')

You can use similar commands to find other ports on any gateway. For example to access a secure HTTP port named https on a gateway named my-gateway:

  1. $ export INGRESS_HOST=$(kubectl get gtw my-gateway -o jsonpath='{.status.addresses[0].value}')
  2. $ export SECURE_INGRESS_PORT=$(kubectl get gtw my-gateway -o jsonpath='{.spec.listeners[?(@.name=="https")].port}')

Accessing ingress services

  1. Access the httpbin service using curl:

    1. $ curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/status/200"
    2. HTTP/1.1 200 OK
    3. server: istio-envoy
    4. ...

    Note that you use the -H flag to set the Host HTTP header to “httpbin.example.com”. This is needed because your ingress Gateway is configured to handle “httpbin.example.com”, but in your test environment you have no DNS binding for that host and are simply sending your request to the ingress IP.

  2. Access any other URL that has not been explicitly exposed. You should see an HTTP 404 error:

    1. $ curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/headers"
    2. HTTP/1.1 404 Not Found
    3. ...

Accessing ingress services using a browser

Entering the httpbin service URL in a browser won’t work because you can’t pass the Host header to a browser like you did with curl. In a real world situation, this is not a problem because you configure the requested host properly and DNS resolvable. Thus, you use the host’s domain name in the URL, for example, https://httpbin.example.com/status/200.

You can work around this problem for simple tests and demos as follows:

Use a wildcard * value for the host in the Gateway and VirtualService configurations. For example, change your ingress configuration to the following:

  1. $ kubectl apply -f - <<EOF
  2. apiVersion: networking.istio.io/v1alpha3
  3. kind: Gateway
  4. metadata:
  5. name: httpbin-gateway
  6. spec:
  7. # The selector matches the ingress gateway pod labels.
  8. # If you installed Istio using Helm following the standard documentation, this would be "istio=ingress"
  9. selector:
  10. istio: ingressgateway
  11. servers:
  12. - port:
  13. number: 80
  14. name: http
  15. protocol: HTTP
  16. hosts:
  17. - "*"
  18. ---
  19. apiVersion: networking.istio.io/v1alpha3
  20. kind: VirtualService
  21. metadata:
  22. name: httpbin
  23. spec:
  24. hosts:
  25. - "*"
  26. gateways:
  27. - httpbin-gateway
  28. http:
  29. - match:
  30. - uri:
  31. prefix: /headers
  32. route:
  33. - destination:
  34. port:
  35. number: 8000
  36. host: httpbin
  37. EOF

If you remove the host names from the Gateway and HTTPRoute configurations, they will apply to any request. For example, change your ingress configuration to the following:

  1. $ kubectl apply -f - <<EOF
  2. apiVersion: gateway.networking.k8s.io/v1beta1
  3. kind: Gateway
  4. metadata:
  5. name: httpbin-gateway
  6. spec:
  7. gatewayClassName: istio
  8. listeners:
  9. - name: http
  10. port: 80
  11. protocol: HTTP
  12. allowedRoutes:
  13. namespaces:
  14. from: Same
  15. ---
  16. apiVersion: gateway.networking.k8s.io/v1beta1
  17. kind: HTTPRoute
  18. metadata:
  19. name: httpbin
  20. spec:
  21. parentRefs:
  22. - name: httpbin-gateway
  23. rules:
  24. - matches:
  25. - path:
  26. type: PathPrefix
  27. value: /headers
  28. backendRefs:
  29. - name: httpbin
  30. port: 8000
  31. EOF

You can then use $INGRESS_HOST:$INGRESS_PORT in the browser URL. For example, http://$INGRESS_HOST:$INGRESS_PORT/headers will display all the headers that your browser sends.

Understanding what happened

The Gateway configuration resources allow external traffic to enter the Istio service mesh and make the traffic management and policy features of Istio available for edge services.

In the preceding steps, you created a service inside the service mesh and exposed an HTTP endpoint of the service to external traffic.

Using node ports of the ingress gateway service

You should not use these instructions if your Kubernetes environment has an external load balancer supporting services of type LoadBalancer.

If your environment does not support external load balancers, you can still experiment with some of the Istio features by using the istio-ingressgateway service’s node ports.

Set the ingress ports:

  1. $ export INGRESS_PORT=$(kubectl -n "${INGRESS_NS}" get service "${INGRESS_NAME}" -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')
  2. $ export SECURE_INGRESS_PORT=$(kubectl -n "${INGRESS_NS}" get service "${INGRESS_NAME}" -o jsonpath='{.spec.ports[?(@.name=="https")].nodePort}')
  3. $ export TCP_INGRESS_PORT=$(kubectl -n "${INGRESS_NS}" get service "${INGRESS_NAME}" -o jsonpath='{.spec.ports[?(@.name=="tcp")].nodePort}')

Setting the ingress IP depends on the cluster provider:

  1. GKE:

    1. $ export INGRESS_HOST=worker-node-address

    You need to create firewall rules to allow the TCP traffic to the ingressgateway service’s ports. Run the following commands to allow the traffic for the HTTP port, the secure port (HTTPS) or both:

    1. $ gcloud compute firewall-rules create allow-gateway-http --allow "tcp:$INGRESS_PORT"
    2. $ gcloud compute firewall-rules create allow-gateway-https --allow "tcp:$SECURE_INGRESS_PORT"
  2. IBM Cloud Kubernetes Service:

    1. $ ibmcloud ks workers --cluster cluster-name-or-id
    2. $ export INGRESS_HOST=public-IP-of-one-of-the-worker-nodes
  3. Docker For Desktop:

    1. $ export INGRESS_HOST=127.0.0.1
  4. Other environments:

    1. $ export INGRESS_HOST=$(kubectl get po -l istio=ingressgateway -n "${INGRESS_NS}" -o jsonpath='{.items[0].status.hostIP}')

Troubleshooting

  1. Inspect the values of the INGRESS_HOST and INGRESS_PORT environment variables. Make sure they have valid values, according to the output of the following commands:

    1. $ kubectl get svc -n istio-system
    2. $ echo "INGRESS_HOST=$INGRESS_HOST, INGRESS_PORT=$INGRESS_PORT"
  2. Check that you have no other Istio ingress gateways defined on the same port:

    1. $ kubectl get gateway --all-namespaces
  3. Check that you have no Kubernetes Ingress resources defined on the same IP and port:

    1. $ kubectl get ingress --all-namespaces
  4. If you have an external load balancer and it does not work for you, try to access the gateway using its node port.

Cleanup

Delete the Gateway and VirtualService configuration, and shutdown the httpbin service:

Zip

  1. $ kubectl delete gateway httpbin-gateway
  2. $ kubectl delete virtualservice httpbin
  3. $ kubectl delete --ignore-not-found=true -f @samples/httpbin/httpbin.yaml@

Delete the Gateway and HTTPRoute configuration, and shutdown the httpbin service:

Zip

  1. $ kubectl delete gtw httpbin-gateway
  2. $ kubectl delete httproute httpbin
  3. $ kubectl delete --ignore-not-found=true -f @samples/httpbin/httpbin.yaml@