The gateway to each cluster can have its own port or load balancer, which is unrelated to a service mesh. By default, each Rancher-provisioned cluster has one NGINX ingress controller allowing traffic into the cluster.

You can use the NGINX ingress controller with or without Istio installed. If this is the only gateway to your cluster, Istio will be able to route traffic from service to service, but Istio will not be able to receive traffic from outside the cluster.

To allow Istio to receive external traffic, you need to enable Istio’s gateway, which works as a north-south proxy for external traffic. When you enable the Istio gateway, the result is that your cluster will have two ingresses.

You will also need to set up a Kubernetes gateway for your services. This Kubernetes resource points to Istio’s implementation of the ingress gateway to the cluster.

You can route traffic into the service mesh with a load balancer or just Istio’s NodePort gateway. This section describes how to set up the NodePort gateway.

For more information on the Istio gateway, refer to the Istio documentation.

In an Istio-enabled cluster, you can have two ingresses: the default Nginx ingress, and the default Istio controller.

Enable the Istio Gateway

The ingress gateway is a Kubernetes service that will be deployed in your cluster. There is only one Istio gateway per cluster.

  1. Go to the cluster where you want to allow outside traffic into Istio.
  2. Click Tools > Istio.
  3. Expand the Ingress Gateway section.
  4. Under Enable Ingress Gateway, click True. The default type of service for the Istio gateway is NodePort. You can also configure it as a load balancer.
  5. Optionally, configure the ports, service types, node selectors and tolerations, and resource requests and limits for this service. The default resource requests for CPU and memory are the minimum recommended resources.
  6. Click Save.

Result: The gateway is deployed, which allows Istio to receive traffic from outside the cluster.

Add a Kubernetes Gateway that Points to the Istio Gateway

To allow traffic to reach Ingress, you will also need to provide a Kubernetes gateway resource in your YAML that points to Istio’s implementation of the ingress gateway to the cluster.

  1. Go to the namespace where you want to deploy the Kubernetes gateway and click Import YAML.
  2. Upload the gateway YAML as a file or paste it into the form. An example gateway YAML is provided below.
  3. Click Import.
  1. apiVersion: networking.istio.io/v1alpha3
  2. kind: Gateway
  3. metadata:
  4.   name: bookinfo-gateway
  5. spec:
  6.   selector:
  7.     istio: ingressgateway # use istio default controller
  8.   servers:
  9.     - port:
  10.         number: 80
  11.         name: http
  12.         protocol: HTTP
  13.       hosts:
  14.         - "*"
  15. ---
  16. apiVersion: networking.istio.io/v1alpha3
  17. kind: VirtualService
  18. metadata:
  19.   name: bookinfo
  20. spec:
  21.   hosts:
  22.   - "*"
  23.   gateways:
  24.   - bookinfo-gateway
  25.   http:
  26.   - match:
  27.     - uri:
  28.         exact: /productpage
  29.     - uri:
  30.         prefix: /static
  31.     - uri:
  32.         exact: /login
  33.     - uri:
  34.         exact: /logout
  35.     - uri:
  36.         prefix: /api/v1/products
  37.     route:
  38.     - destination:
  39.         host: productpage
  40.         port:
  41.           number: 9080

Result: You have configured your gateway resource so that Istio can receive traffic from outside the cluster.

Confirm that the resource exists by running:

  1. kubectl get gateway -A

The result should be something like this:

  1. NAME               AGE
  2. bookinfo-gateway   64m

Access the ProductPage Service from a Web Browser

To test and see if the BookInfo app deployed correctly, the app can be viewed a web browser using the Istio controller IP and port, combined with the request name specified in your Kubernetes gateway resource:

http://<IP of Istio controller>:<Port of istio controller>/productpage

To get the ingress gateway URL and port,

  1. Go to the System project in your cluster.
  2. Within the System project, go to Resources > Workloads then scroll down to the istio-system namespace.
  3. Within istio-system, there is a workload named istio-ingressgateway. Under the name of this workload, you should see links, such as 80/tcp.
  4. Click one of those links. This should show you the URL of the ingress gateway in your web browser. Append /productpage to the URL.

Result: You should see the BookInfo app in the web browser.

For help inspecting the Istio controller URL and ports, try the commands the Istio documentation.

Troubleshooting

The official Istio documentation suggests kubectl commands to inspect the correct ingress host and ingress port for external requests.

Confirming that the Kubernetes Gateway Matches Istio’s Ingress Controller

You can try the steps in this section to make sure the Kubernetes gateway is configured properly.

In the gateway resource, the selector refers to Istio’s default ingress controller by its label, in which the key of the label is istio and the value is ingressgateway. To make sure the label is appropriate for the gateway, do the following:

  1. Go to the System project in your cluster.
  2. Within the System project, go to the namespace istio-system.
  3. Within istio-system, there is a workload named istio-ingressgateway.
  4. Click the name of this workload and go to the Labels and Annotations section. You should see that it has the key istio and the value ingressgateway. This confirms that the selector in the Gateway resource matches Istio’s default ingress controller.

Next: Set up Istio’s Components for Traffic Management