For full text search please use the '?' prefix. e.g. ? Onboarding

Ingress

Controlling ingress traffic for an Istio service mesh.

Ingress Gateway

An ingress Gateway describes a load balancer operating at the edge of the mesh that receives incoming HTTP/TCP connections. It configures exposed ports, protocols, etc. but, unlike Kubernetes Ingress Resources, does not include any traffic routing configuration. Traffic routing for ingress traffic is instead configured using Istio routing rules, exactly in the same way as for internal service requests.

Official docs

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: bookinfo-gateway
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "bookinfo.zik.ooo"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: bookinfo
spec:
  hosts:
  - "bookinfo.zik.ooo"
  gateways:
  - bookinfo-gateway
  http:
  - match:
    - uri:
        exact: /productpage
    - uri:
        prefix: /static
    - uri:
        exact: /login
    - uri:
        exact: /logout
    - uri:
        prefix: /api/v1/products
    route:
    - destination:
        host: productpage
        port:
          number: 9080

Secure/HTTPS Gateway

  1. Create a root certificate and private key to sign the certificates for your services:
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=zik Inc./CN=zik.ooo' -keyout zik.ooo.key -out zik.ooo.crt
  1. Create a certificate and a private key for httpbin.example.com:
openssl req -out bookinfo.zik.ooo.csr -newkey rsa:2048 -nodes -keyout bookinfo.zik.ooo.key -subj "/CN=bookinfo.zik.ooo/O=bookinfo organization"
openssl x509 -req -sha256 -days 365 -CA zik.ooo.crt -CAkey zik.ooo.key -set_serial 0 -in bookinfo.zik.ooo.csr -out bookinfo.zik.ooo.crt

Configure a TLS ingress gateway for a single host

  1. Store key+crt in secret
kubectl create -n istio-system secret tls bookinfo-cert-credential --key=bookinfo.zik.ooo.key --cert=bookinfo.zik.ooo.crt
  1. Create Istio Gateway
cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: bookinfo-https-gw
spec:
  selector:
    istio: ingressgateway # use istio default ingress gateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: bookinfo-zik-ooo-tls # must be the same as secret
    hosts:
    - bookinfo.zik.ooo
EOF
  1. Create VirtualService to define a request route for the gateway
cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: bookinfo-for-https
spec:
  hosts:
  - "bookinfo.zik.ooo"
  gateways:
  - bookinfo-https-gw
  http:
  - match:
    - uri:
        exact: /productpage
    - uri:
        prefix: /static
    - uri:
        exact: /login
    - uri:
        exact: /logout
    - uri:
        prefix: /api/v1/products
    route:
    - destination:
        host: productpage
        port:
          number: 9080
EOF

SNI Passthrough

kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: argocdgateway
  namespace: argocd
spec:
  selector:
    istio: ingressgateway # use istio default ingress gateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: PASSTHROUGH
    hosts:
    - argocd.zik.ooo
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - argocd.zik.ooo
EOF

kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: argocd-server-vsvc
  namespace: argocd
spec:
  hosts:
  - "argocd.zik.ooo"
  gateways:
  - argocdgateway
  http:
  - match:
    - uri:
        prefix: /
    route:
    - destination:
        host: argo-cd-argocd-server
        port:
          number: 80
  tls:
  - match:
    - port: 443
      sniHosts:
      - argocd.zik.ooo
    route:
    - destination:
        host: argo-cd-argocd-server
        port:
          number: 443
EOF

Work with Cert Manager

kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-prod
  namespace: istio-system
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: supakorn@jigko.net
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod
    # Enable the HTTP-01 challenge provider
    solvers:
    - http01:
        ingress:
          class: istio
EOF

kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: bookinfo-zik-ooo
  namespace: istio-system
spec:
  # Secret names are always required.
  secretName: bookinfo-zik-ooo-tls

  duration: 2160h # 90d
  renewBefore: 360h # 15d
  subject:
    organizations:
      - zik
  isCA: false
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 2048
  usages:
    - server auth
    - client auth
  # At least one of a DNS Name, URI, or IP address is required.
  dnsNames:
    - bookinfo.zik.ooo
  # Issuer references are always required.
  issuerRef:
    name: letsencrypt-prod
    kind: Issuer
EOF