Ingress Gateways

Along with support for Kubernetes Ingress, Istio offers another configuration model, Istio Gateway. A Gateway provides more extensive customization and flexibility than Ingress, and allows Istio features such as monitoring and route rules to be applied to traffic entering the cluster.

This task describes how to configure Istio to expose a service outside of the service mesh using an Istio Gateway.

Before you begin

  • Setup Istio by following the instructions in the Installation guide.

  • Make sure your current directory is the istio directory.

  • Start the httpbin sample.

    If you have enabled automatic sidecar injection, deploy the httpbin service:

    Zip

    1. $ kubectl apply -f @samples/httpbin/httpbin.yaml@

    Otherwise, you have to manually inject the sidecar before deploying the httpbin application:

    Zip

    1. $ kubectl apply -f <(istioctl kube-inject -f @samples/httpbin/httpbin.yaml@)
  • Determine the ingress IP and ports as described in the following subsection.

Determining the ingress IP and ports

Execute the following command to determine if your Kubernetes cluster is running in an environment that supports external load balancers:

  1. $ kubectl get svc istio-ingressgateway -n istio-system
  2. NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
  3. istio-ingressgateway LoadBalancer 172.21.109.129 130.211.10.121 ... 17h

If the EXTERNAL-IP value is set, your environment has an external load balancer that you can use for the ingress gateway. If the EXTERNAL-IP value is <none> (or perpetually <pending>), your environment does not provide an external load balancer for the ingress gateway. In this case, you can access the gateway using the service’s node port.

Choose the instructions corresponding to your environment:

Follow these instructions if you have determined that your environment has an external load balancer.

Set the ingress IP and ports:

  1. $ export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
  2. $ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].port}')
  3. $ export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].port}')
  4. $ export TCP_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="tcp")].port}')

In certain environments, the load balancer may be exposed using a host name, instead of an IP address. In this case, the ingress gateway’s EXTERNAL-IP value will not be an IP address, but rather a host name, and the above command will have failed to set the INGRESS_HOST environment variable. Use the following command to correct the INGRESS_HOST value:

  1. $ export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')

Follow these instructions if you have determined that your environment does not have an external load balancer, so you need to use a node port instead.

Set the ingress ports:

  1. $ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')
  2. $ export SECURE_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="https")].nodePort}')
  3. $ export TCP_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="tcp")].nodePort}')

Setting the ingress IP depends on the cluster provider:

  1. GKE:

    1. $ export INGRESS_HOST=worker-node-address

    You need to create firewall rules to allow the TCP traffic to the ingressgateway service’s ports. Run the following commands to allow the traffic for the HTTP port, the secure port (HTTPS) or both:

    1. $ gcloud compute firewall-rules create allow-gateway-http --allow "tcp:$INGRESS_PORT"
    2. $ gcloud compute firewall-rules create allow-gateway-https --allow "tcp:$SECURE_INGRESS_PORT"
  2. IBM Cloud Kubernetes Service:

    1. $ ibmcloud ks workers --cluster cluster-name-or-id
    2. $ export INGRESS_HOST=public-IP-of-one-of-the-worker-nodes
  3. Minikube:

    1. $ export INGRESS_HOST=$(minikube ip)
  4. Docker For Desktop:

    1. $ export INGRESS_HOST=127.0.0.1
  5. Other environments:

    1. $ export INGRESS_HOST=$(kubectl get po -l istio=ingressgateway -n istio-system -o jsonpath='{.items[0].status.hostIP}')

Configuring ingress using an Istio gateway

An ingress Gateway describes a load balancer operating at the edge of the mesh that receives incoming HTTP/TCP connections. It configures exposed ports, protocols, etc. but, unlike Kubernetes Ingress Resources, does not include any traffic routing configuration. Traffic routing for ingress traffic is instead configured using Istio routing rules, exactly in the same way as for internal service requests.

Let’s see how you can configure a Gateway on port 80 for HTTP traffic.

  1. Create an Istio Gateway:

    1. $ kubectl apply -f - <<EOF
    2. apiVersion: networking.istio.io/v1alpha3
    3. kind: Gateway
    4. metadata:
    5. name: httpbin-gateway
    6. spec:
    7. selector:
    8. istio: ingressgateway # use Istio default gateway implementation
    9. servers:
    10. - port:
    11. number: 80
    12. name: http
    13. protocol: HTTP
    14. hosts:
    15. - "httpbin.example.com"
    16. EOF
  2. Configure routes for traffic entering via the Gateway:

    1. $ kubectl apply -f - <<EOF
    2. apiVersion: networking.istio.io/v1alpha3
    3. kind: VirtualService
    4. metadata:
    5. name: httpbin
    6. spec:
    7. hosts:
    8. - "httpbin.example.com"
    9. gateways:
    10. - httpbin-gateway
    11. http:
    12. - match:
    13. - uri:
    14. prefix: /status
    15. - uri:
    16. prefix: /delay
    17. route:
    18. - destination:
    19. port:
    20. number: 8000
    21. host: httpbin
    22. EOF

    You have now created a virtual service configuration for the httpbin service containing two route rules that allow traffic for paths /status and /delay.

    The gateways list specifies that only requests through your httpbin-gateway are allowed. All other external requests will be rejected with a 404 response.

    Internal requests from other services in the mesh are not subject to these rules but instead will default to round-robin routing. To apply these rules to internal calls as well, you can add the special value mesh to the list of gateways. Since the internal hostname for the service is probably different (e.g., httpbin.default.svc.cluster.local) from the external one, you will also need to add it to the hosts list. Refer to the operations guide for more details.

  3. Access the httpbin service using curl:

    1. $ curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/status/200"
    2. HTTP/1.1 200 OK
    3. server: istio-envoy
    4. ...

    Note that you use the -H flag to set the Host HTTP header to “httpbin.example.com”. This is needed because your ingress Gateway is configured to handle “httpbin.example.com”, but in your test environment you have no DNS binding for that host and are simply sending your request to the ingress IP.

  4. Access any other URL that has not been explicitly exposed. You should see an HTTP 404 error:

    1. $ curl -s -I -HHost:httpbin.example.com "http://$INGRESS_HOST:$INGRESS_PORT/headers"
    2. HTTP/1.1 404 Not Found
    3. ...

Accessing ingress services using a browser

Entering the httpbin service URL in a browser won’t work because you can’t pass the Host header to a browser like you did with curl. In a real world situation, this is not a problem because you configure the requested host properly and DNS resolvable. Thus, you use the host’s domain name in the URL, for example, https://httpbin.example.com/status/200.

To work around this problem for simple tests and demos, use a wildcard * value for the host in the Gateway and VirtualService configurations. For example, if you change your ingress configuration to the following:

  1. $ kubectl apply -f - <<EOF
  2. apiVersion: networking.istio.io/v1alpha3
  3. kind: Gateway
  4. metadata:
  5. name: httpbin-gateway
  6. spec:
  7. selector:
  8. istio: ingressgateway # use Istio default gateway implementation
  9. servers:
  10. - port:
  11. number: 80
  12. name: http
  13. protocol: HTTP
  14. hosts:
  15. - "*"
  16. ---
  17. apiVersion: networking.istio.io/v1alpha3
  18. kind: VirtualService
  19. metadata:
  20. name: httpbin
  21. spec:
  22. hosts:
  23. - "*"
  24. gateways:
  25. - httpbin-gateway
  26. http:
  27. - match:
  28. - uri:
  29. prefix: /headers
  30. route:
  31. - destination:
  32. port:
  33. number: 8000
  34. host: httpbin
  35. EOF

You can then use $INGRESS_HOST:$INGRESS_PORT in the browser URL. For example, http://$INGRESS_HOST:$INGRESS_PORT/headers will display all the headers that your browser sends.

Understanding what happened

The Gateway configuration resources allow external traffic to enter the Istio service mesh and make the traffic management and policy features of Istio available for edge services.

In the preceding steps, you created a service inside the service mesh and exposed an HTTP endpoint of the service to external traffic.

Troubleshooting

  1. Inspect the values of the INGRESS_HOST and INGRESS_PORT environment variables. Make sure they have valid values, according to the output of the following commands:

    1. $ kubectl get svc -n istio-system
    2. $ echo "INGRESS_HOST=$INGRESS_HOST, INGRESS_PORT=$INGRESS_PORT"
  2. Check that you have no other Istio ingress gateways defined on the same port:

    1. $ kubectl get gateway --all-namespaces
  3. Check that you have no Kubernetes Ingress resources defined on the same IP and port:

    1. $ kubectl get ingress --all-namespaces
  4. If you have an external load balancer and it does not work for you, try to access the gateway using its node port.

Cleanup

Delete the Gateway and VirtualService configuration, and shutdown the httpbin service:

Zip

  1. $ kubectl delete gateway httpbin-gateway
  2. $ kubectl delete virtualservice httpbin
  3. $ kubectl delete --ignore-not-found=true -f @samples/httpbin/httpbin.yaml@

See also

Direct encrypted traffic from IBM Cloud Kubernetes Service Ingress to Istio Ingress Gateway

Configure the IBM Cloud Kubernetes Service Application Load Balancer to direct traffic to the Istio Ingress gateway with mutual TLS.

Istio as a Proxy for External Services

Configure Istio ingress gateway to act as a proxy for external services.

Deploy a Custom Ingress Gateway Using Cert-Manager

Describes how to deploy a custom ingress gateway using cert-manager manually.

Configuring Istio Ingress with AWS NLB

Describes how to configure Istio ingress with a network load balancer on AWS.

Configuring Gateway Network Topology [Experimental]

How to configure gateway network topology (experimental).

Ingress Gateway without TLS Termination

Describes how to configure SNI passthrough for an ingress gateway.