June 17, 2019     1min read

Practical Istio - Ingress Gateway


Get the code for this post!

t04glovern/gke-istio-bootstrap

Table of Contents


Introduction

With Istio now installed its time to start allowing traffic into the cluster. In Istio a gateway will sit on the edge of your network and the flow of traffic into the other Istio components. All the Gateway is setup for is to allow incoming TCP/HTTP connections that can be mapped later on using VirtualService routing rules.

In this post we'll look at setting up a number of distinct gateways for all the various services within our cluster in both the istio-system and default namespaces.

Map Services

To begin with create a list of all the services we'd like to expose over our Istio Gateway. To start with get a list of the cluster services already attached to the Istio ingress load balancer by running the following:

kubectl get service -n istio-system -l istio=ingressgateway --output=json | jq '.items[].spec.ports[]'

The output of this should look something like the following:

{
  "name": "status-port",
  "nodePort": 32288,
  "port": 15020,
  "protocol": "TCP",
  "targetPort": 15020
}
{
  "name": "http2",
  "nodePort": 31380,
  "port": 80,
  "protocol": "TCP",
  "targetPort": 80
}
{
  "name": "https",
  "nodePort": 31390,
  "port": 443,
  "protocol": "TCP",
  "targetPort": 443
}
{
  "name": "tcp",
  "nodePort": 31400,
  "port": 31400,
  "protocol": "TCP",
  "targetPort": 31400
}
{
  "name": "https-kiali",
  "nodePort": 32563,
  "port": 15029,
  "protocol": "TCP",
  "targetPort": 15029
}
{
  "name": "https-prometheus",
  "nodePort": 32444,
  "port": 15030,
  "protocol": "TCP",
  "targetPort": 15030
}
{
  "name": "https-grafana",
  "nodePort": 30158,
  "port": 15031,
  "protocol": "TCP",
  "targetPort": 15031
}
{
  "name": "https-tracing",
  "nodePort": 31895,
  "port": 15032,
  "protocol": "TCP",
  "targetPort": 15032
}
{
  "name": "tls",
  "nodePort": 31135,
  "port": 15443,
  "protocol": "TCP",
  "targetPort": 15443
}

We're interested in the following services, and make a note of the port exposed for the service.

ServicePort
kiali (https-kiali)15029
prometheus (https-prometheus)15030
grafana (https-grafana)15031
tracing (https-tracing)15032
http (http2)80

Gateways

For each of the ports above we are going to be creating a separate Gateway that will explicitly tell kubernetes to watch out for it. Within the k8s/istio/gateways folder is all the services above defined separately. Take a look at the Grafana definition below for more details.

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: istio-grafana # Individual name (we'll use this later in VirtualServer)
  namespace: istio-system # Namespace
spec:
  selector:
    istio: ingressgateway # Specify the ingressgateway created for us
  servers:
  - port:
      number: 15031 # Service port to watch
      name: http-grafana
      protocol: HTTP
    hosts:
    - gke.devopstar.com # Host to watch on, could be "*"

Note: although the port.name field in port appears to be different to the one in ingress, these values do not relate (and can be different).

The important information above is that we have to place the Istio component configuration into istio-system namespace, whereas for the HTTP gateway, it is placed into default.

To deploy all the gateways at once, run the following command on the bastion server.

kubectl apply -f k8s/istio/gateways

Whats Next?

In the next section we'll begin looking at how to define VirtualServices to route from our Gateway to.

devopstar

DevOpStar by Nathan Glover | 2020