Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add gateway config instructions and sample config #1411

Merged
merged 3 commits into from Oct 30, 2023
Merged

Add gateway config instructions and sample config #1411

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c547913
Add gateway config instructions and sample config
longmuir Oct 27, 2023
3554811
update gateway creation command to remove namespace
longmuir Oct 27, 2023
6a4db41
Incorporating fixes and PR feedback
longmuir Oct 30, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
73 changes: 69 additions & 4 deletions bundle/README.md
View file
Open in desktop
Expand Up @@ -79,11 +79,76 @@ By deploying the `reviews` virtual service, you can specify a different behavior

For more information, see [Bookinfo Application](https://istio.io/latest/docs/examples/bookinfo/) in the upstream Istio documentation.

## Gateway Configuration
After following the instructions for [Deploying the application](https://istio.io/latest/docs/examples/bookinfo/#start-the-application-services), **you will need to create and configure a gateway** for the `bookinfo` application to be accessible outside the cluster.

## Creating and Configuring Gateways

The Sail Operator does not deploy Ingress or Egress Gateways. Gateways are not part of the control plane. As a security best-practice, Ingress and Egress Gateways should be deployed in a different namespace than the namespace that contains the control plane.

You can deploy gateways using either the Gateway API or Gateway Injection methods. Both are well documented in the Istio documentation.
You can deploy gateways using either the Gateway API or Gateway Injection methods.

### Option 1: Istio Gateway Injection

Gateway Injection uses the same mechanisms as Istio sidecar injection to create a gateway from a `Deployment` resource that is paired with a `Service` resource that can be made accessible from outside the cluster. For more information, see [Installing Gateways](https://preliminary.istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway).

To configure gateway injection with the `bookinfo` application, we have provided a [sample gateway configuration](../config/samples/ingress-gateway.yaml?raw=1) that should be applied in the namespace where the application is installed:

1. Create the `istio-ingressgateway` deployment and service:

```sh
$ oc apply -f -n <app-namespace> ingress-gateway.yaml
```

2. Configure the `bookinfo` application with the new gateway:

```sh
$ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/networking/bookinfo-gateway.yaml
```

3. On OpenShift, you can use a [Route](https://docs.openshift.com/container-platform/4.13/networking/routes/route-configuration.html) to expose the gateway externally:

```sh
$ oc expose service istio-ingressgateway
```

4. Finally, obtain the gateway host name and the URL of the product page:

```sh
$ HOST=$(oc get route istio-ingressgateway -o jsonpath='{.spec.host}')
$ echo http://$HOST/productpage
```

Verify that the `productpage` is accessible from a web browser.

### Option 2: Kubernetes Gateway API

Istio includes support for Kubernetes [Gateway API](https://gateway-api.sigs.k8s.io/) and intends to make it the default API for [traffic management in the future](https://istio.io/latest/blog/2022/gateway-api-beta/). For more information, see Istio's [Kubernetes Gateway API](https://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/) page.

As of Kubernetes 1.28 and OpenShift 4.14, the Kubernetes Gateway API CRDs are not available by default and must be enabled to be used. This can be done with the command:

```sh
$ oc get crd gateways.gateway.networking.k8s.io &> /dev/null || { oc kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.8.0" | oc apply -f -; }
jwendell marked this conversation as resolved.
Show resolved Hide resolved
```

To configure `bookinfo` with a gateway using `Gateway API`:

1. Create and configure a gateway using a `Gateway` and `HTTPRoute` resource:

```sh
$ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/gateway-api/bookinfo-gateway.yaml
```

2. Retrieve the host, port and gateway URL:

```sh
$ export INGRESS_HOST=$(oc get gtw bookinfo-gateway -o jsonpath='{.status.addresses[0].value}')
$ export INGRESS_PORT=$(oc get gtw bookinfo-gateway -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')
$ export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
```

3. Obtain the `productpage` URL and check that you can visit it from a browser:

```sh
$ echo "http://${GATEWAY_URL}/productpage"
```

- To use Gateway API, follow the instructions in the [Getting Started with Istio and Kubernetes Gateway API](https://preliminary.istio.io/latest/docs/setup/additional-setup/getting-started/) page.
- To use Gateway Injection, use the `Helm` method described in the [Installing Gateways](https://preliminary.istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway) page.
76 changes: 76 additions & 0 deletions config/samples/ingress-gateway.yaml
View file
Open in desktop
@@ -0,0 +1,76 @@
apiVersion: v1
kind: Service
metadata:
name: istio-ingressgateway
spec:
type: ClusterIP
selector:
istio: ingressgateway
ports:
- name: http2
port: 80
targetPort: 8080
- name: https
port: 443
targetPort: 8443
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: istio-ingressgateway
spec:
selector:
matchLabels:
istio: ingressgateway
template:
metadata:
annotations:
# Select the gateway injection template (rather than the default sidecar template)
inject.istio.io/templates: gateway
labels:
# Set a unique label for the gateway. This is required to ensure Gateways can select this workload
istio: ingressgateway
# Enable gateway injection. If connecting to a revisioned control plane, replace with "istio.io/rev: revision-name"
sidecar.istio.io/inject: "true"
spec:
containers:
- name: istio-proxy
image: auto # The image will automatically update each time the pod starts.

---
# Set up roles to allow reading credentials for TLS
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: istio-ingressgateway-sds
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: istio-ingressgateway-sds
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: istio-ingressgateway-sds
subjects:
- kind: ServiceAccount
name: default
---
#Allow outside traffic to access the gateway
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: gatewayingress
spec:
podSelector:
matchLabels:
istio: ingressgateway
ingress:
- {}
policyTypes:
- Ingress