Kubernetes Gateway API

Kuma supports configuring Built-in Gateway using Kubernetes Gateway API.

Installation

Gateway API support is an experimental feature that has to be explicitly enabled.

  1. Install Gateway API CRDs

    The Gateway API CRDs are not yet available by default in Kubernetes. You must first install them.

  2. Enable Built-in Gateway and Gateway API support

    Gateway API can only be used when Kuma built-in Gateway is enabled.

    When Kuma is installed with kumactl, use --experimental-meshgateway and --experimental-gatewayapi.

    When Kuma is installed with HELM, use experimental.meshGateway=true value and experimental.gatewayAPI=true.

Usage

  1. Setup counter demo application

    1. kumactl install demo | kubectl apply -f -
  2. Add GatewayClass and Gateway

    The Gateway resource represents the proxy instance that handles traffic for a set of Gateway API routes, and a GatewayClass describes characteristics shared by all Gateways of a given type.

    1. echo "apiVersion: gateway.networking.k8s.io/v1alpha2
    2. kind: GatewayClass
    3. metadata:
    4. name: kuma
    5. spec:
    6. controllerName: gateways.kuma.io/controller
    7. " | kubectl apply -f -
    1. echo "apiVersion: gateway.networking.k8s.io/v1alpha2
    2. kind: Gateway
    3. metadata:
    4. name: kuma
    5. namespace: kuma-demo
    6. spec:
    7. gatewayClassName: kuma
    8. listeners:
    9. - name: proxy
    10. port: 8080
    11. protocol: HTTP
    12. " | kubectl apply -f -

    When Gateway resource is applied, Kuma automatically creates an instance of a built-in Gateway with a corresponding Service.

    1. kubectl get pods -n kuma-demo
    2. NAME READY STATUS RESTARTS AGE
    3. redis-59c9d56fc-6gcbc 2/2 Running 0 2m8s
    4. demo-app-5845d6447b-v7npw 2/2 Running 0 2m8s
    5. kuma-4j6wr-58998b5576-25wl6 1/1 Running 0 30s
    6. kubectl get svc -n kuma-demo
    7. NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
    8. redis ClusterIP 10.43.223.223 <none> 6379/TCP 3m27s
    9. demo-app ClusterIP 10.43.216.203 <none> 5000/TCP 3m27s
    10. kuma-pfh4s LoadBalancer 10.43.122.93 172.20.0.3 8080:30627/TCP 87s

    Gateway can now be accessed using 172.20.0.3:8080 address.

  3. Add an HTTPRoute

    HTTPRoute resources contains a set of matching criteria for HTTP requests and upstream Services to route those requests to.

    1. echo "apiVersion: gateway.networking.k8s.io/v1alpha2
    2. kind: HTTPRoute
    3. metadata:
    4. name: echo
    5. namespace: kuma-demo
    6. spec:
    7. parentRefs:
    8. - group: gateway.networking.k8s.io
    9. kind: Gateway
    10. name: kuma
    11. namespace: kuma-demo
    12. rules:
    13. - backendRefs:
    14. - group: ''
    15. kind: Service
    16. name: demo-app
    17. port: 5000
    18. weight: 1
    19. matches:
    20. - path:
    21. type: PathPrefix
    22. value: /
    23. " | kubectl apply -f -

    After creating an HTTPRoute, accessing / forwards a request to the demo app:

    1. curl 172.20.0.3:8080/ -i
    1. HTTP/1.1 200 OK
    2. x-powered-by: Express
    3. accept-ranges: bytes
    4. cache-control: public, max-age=0
    5. last-modified: Tue, 20 Oct 2020 17:16:41 GMT
    6. etag: W/"2b91-175470350a8"
    7. content-type: text/html; charset=UTF-8
    8. content-length: 11153
    9. date: Fri, 18 Mar 2022 11:33:29 GMT
    10. x-envoy-upstream-service-time: 2
    11. server: Kuma Gateway
    12. <html>
    13. <head>
    14. ...

TLS Termination

Gateway API supports TLS termination by using standard kubernetes.io/tls Secrets.

Here is an example

  1. apiVersion: v1
  2. kind: Secret
  3. metadata:
  4. name: secret-tls
  5. namespace: kuma-demo
  6. type: kubernetes.io/tls
  7. data:
  8. tls.crt: "MIIEOzCCAyO..." # redacted
  9. tls.key: "MIIEowIBAAKC..." # redacted
  1. apiVersion: gateway.networking.k8s.io/v1alpha2
  2. kind: Gateway
  3. metadata:
  4. name: kuma
  5. namespace: kuma-demo
  6. spec:
  7. gatewayClassName: kuma
  8. listeners:
  9. - name: proxy
  10. port: 8080
  11. hostname: test.kuma.io
  12. protocol: HTTPS
  13. tls:
  14. certificateRefs:
  15. - name: secret-tls

Under the hood, Kuma CP copies the Secret to kuma-system namespace and converts it to Kuma Secret. It tracks all the changes to the secret and deletes it if the original secret is deleted.

Multizone

Gateway API is not supported with multizone deployments, use Mesh Gateway CRDs instead.

How does it work

When the feature is enabled, Kubernetes Gateway API CRDs are automatically converted to Kuma Mesh Gateway CRDs. This is the reason why in the GUI we will see Kuma Mesh Gateway and not Kubernetes Gateway API resources.

When using Kubernetes Gateway API CRDs, it is a source of truth, so do not edit Kuma Mesh Gateway CRDs directly.