Using Istio Gateway for Ingress routing on Kubernetes - dpsp-summit/wiki GitHub Wiki

In this tutorial we will create an Istio Ingress Gateway and define some routing rules to control ingress traffic on our Kubernetes cluster.

Prerequisites

For this tutorial we are using a Kubernetes cluster on AWS with Istio 1.2.0 demo installed.

Determine the ingress IP

We run the following command to get information about our Istio Ingress Gateway:

kubectl get svc istio-ingressgateway -n istio-system

This will output something similar to this:

NAME                   TYPE           CLUSTER-IP      EXTERNAL-IP                                                               PORT(S)                                                                                                                                      AGE
istio-ingressgateway   LoadBalancer   100.69.37.242   abae5b8a5ad4711e9bfb606ce18082aa-1571053311.us-west-2.elb.amazonaws.com   15020:30775/TCP,80:31380/TCP,443:31390/TCP,31400:31400/TCP,15029:30893/TCP,15030:30231/TCP,15031:30673/TCP,15032:30477/TCP,15443:31000/TCP   32m

Create an Istio Gateway

Create a file named gateway.yaml with the following content:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: my-gateway # Define a name for the gateway
spec:
  selector:
    istio: ingressgateway # use Istio default gateway implementation
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"

Apply the configuration:

kubectl apply -f gateway.yaml

Note:
The hosts property is required, but since we don't want to enforce any specific resource we will just put an asterisk, for production configuration we can define which hosts should be allowed to reach the gateway.

Deploy a sample application

For this tutorial we are going to deploy a sample application called Products Create the deployment and service in a file named products.yaml:

kind: Deployment
apiVersion: apps/v1
metadata:
  name: products
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: products
  template:
    metadata:
      labels:
        app: products
    spec:
      containers:
      - name: products
        image: fbereche/products-api:5.0.0
        env:
        - name: DB_SERVER
          value: mysql-server # the mysql service
        - name: DB_USERNAME
          value: root
        - name: DB_PASSWORD
          value: my-password
        ports:
        - containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
  name: products-service
spec:
  selector:
    app: products
  ports:
  - protocol: TCP
    port: 80
    targetPort: 8080

Note:
Since we are not going to access this service from outside the cluster, remember not to use the LoadBalancer type and use the Cluster IP type which we do not need to specify since it is the default value.

Create Virtual Services

In order to map the Istio Ingress Gateway to the Service, we need to create a Virtual Service. In this configuration file we will define our inbound traffic rules.

Create a file named virtual_service.yaml with the following content:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: my-virtualservice
spec:
  hosts:
  - "*"
  gateways:
  - my-gateway
  http:
  - match:
    - uri:
        prefix: /products
    route:
    - destination:
        port:
          number: 80
        host: products-service # use the existing service name

Apply the configuration:

kubectl apply -f virtual_service.yaml