Istio 09: How to use Istio to manage K8S Ingress traffic

preface

In the world of Istio, if you want to bring external request traffic to the grid, you need to be aware of and learn to configure the Istio Ingress Gateway

What is Ingress Gateway

Because the Kubernetes Ingress API supports only the most basic HTTP routes, using Kubernetes Ingress resources to configure external traffic does not meet the requirements. So the Istio v1alpha3 routing API introduces a new Istio Ingress Gateway instead of Kubernetes Ingress.

The Gateway configures a load balancer for HTTP/TCP traffic to host incoming and outgoing connections to grid edges. Multiple different gateways can exist in the same grid. This specification describes a series of open ports, the protocols used by these ports, the SNI configuration for load balancing, and so on. Users can control HTTP and TCP requests into the grid using standard Istio routing rules.

The following figure shows how Istio Gateway is used in the entire grid:

How do I configure the Gateway to control Ingress traffic

If you already have bookInfo installed, in order to access the ProductPage service in BookInfo externally, you only need to configure Gateway and the associated VirtualService.

apiVersion: networking.istio.io/v1alpha3

kind: Gateway

metadata:

  name: bookinfo-gateway

spec:

  selector:

    istio: ingressgateway

  servers:

  - hosts:

    - bookinfo.com

    port:

      number: 80

      name: http

      protocol: HTTP 
Copy the code

To configure routes, you need to define a VirtualService for the same host and bind gateways to the created Gateway using the parameters in the configuration:

apiVersion: networking.istio.io/v1alpha3

kind: VirtualService

metadata:

  name: bookinfo

spec:

  hosts:

  - bookinfo.com

  gateways:

  - bookinfo-gateway # <---- bind gateway

  - mesh # <---- for flow control of internal communication

  http:

  - match:

    - uri:

        exact: /productpage

    route:

    - destination:

        host: productpage

        port:

          number: 9080
Copy the code

This achieves the purpose of opening productPage service on the extranet.

How do I encrypt the Gateway with HTTPS?

We can also enable TLS protection for the service and provide extra service to the network in the form of HTTPS.

You first need to use tools to generate certificates and keys on both the client and server sides. Then create a Secret using the key and certificate as input.

$ kubectl create -n istio-system secret tls istio-ingressgateway-certs --key key.pem --cert cert.pem
Copy the code

Ingress Gateway 443 port 443 port 443

apiVersion: networking.istio.io/v1alpha3

kind: Gateway

metadata:

  name: bookinfo-gateway

spec:

  selector:

    istio: ingressgateway

  servers:

  - hosts:

    - bookinfo.com

    port:

      number: 80

      name: http

      protocol: HTTP 

  - hosts:

    - "*"

    port:

      number: 443

      name: https

      protocol: HTTPS

    tls:

      mode: SIMPLE

      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt

      privateKey: /etc/istio/ingressgateway-certs/tls.key
Copy the code

This simple configuration allows bookinfo.com to be accessed over HTTPS.