Ingress Lab💣
The objective of this lab is to expose the web-frontend
service to the internet.
The Ingress gateway💣
When you installed Istio, in addition to deploying istiod to Kubernetes, the installation also provisioned an Ingress Gateway.
View the corresponding Istio ingress gateway pod in the istio-system
namespace.
kubectl get pod -l istio=ingressgateway -n istio-system
A corresponding LoadBalancer type service was also created:
kubectl get svc -n istio-system
Make a note of the external IP address for the load balancer.
Assign it to an environment variable.
GATEWAY_IP=$(kubectl get svc -n istio-system public-ingressgateway -ojsonpath='{.status.loadBalancer.ingress[0].ip}')
A small investment
When the cloud shell connection is severed, or when opening a new terminal tab, $GATEWAY_IP
will no longer be in scope.
Ensure GATEWAY_IP
is set each time we start a new shell:
cat << EOF >> ~/.bashrc
export GATEWAY_IP=$(kubectl get svc -n istio-system public-ingressgateway -ojsonpath='{.status.loadBalancer.ingress[0].ip}')
EOF
In normal circumstances we associate this IP address with a hostname via DNS. For the sake of simplicity, in this workshop we will use the gateway public IP address directly.
Configuring ingress💣
Configuring ingress with Istio is performed in two parts:
- Define a
Gateway
custom resource that governs the specific host, port, and protocol to expose - Specify how requests should be routed with a
VirtualService
custom resource.
Create a Gateway resource💣
- Review the following Gateway specification.
!!! tldr “gateway.yaml”
yaml linenums="1"
--8<-- "gateway.yaml"
Above, we specify the HTTP protocol, port 80, and a wildcard (“*“) host matcher which ensures that HTTP requests using the load balancer IP address $GATEWAY_IP
will match.
The selector istio: ingressgateway ensures that this gateway resource binds to the physical ingress gateway.
- Apply the gateway resource to your cluster.
kubectl apply -f gateway.yaml
- Attempt an HTTP request in your browser to the gateway IP address. It should return a 404 (not found).
Create a VirtualService resource💣
- Review the following VirtualService specification.
??? tldr “web-frontend-virtualservice.yaml”
yaml linenums="1"
--8<-- "web-frontend-virtualservice.yaml"
Note how this specification references the name of the gateway (“frontend-gateway”), a matching host (“*“), and specifies a route for requests to be directed to the web-frontend
service.
- Apply the virtual service resource to your cluster.
kubectl apply -f web-frontend-virtualservice.yaml
- List virtual services in the default namespace.
kubectl get virtualservice
The output indicates that the virtual service named web-frontend
is bound to the gateway, as well as any hostname that routes to the load balancer IP address.
Finally, verify that you can now access web-frontend
from your web browser using the gateway IP address.
curl $GATEWAY_IP | head
Candidate follow-on exercises💣
We will not explore ingress any further in this workshop. Consider the following as independent exercises:
- Creating a DNS A record for the gateway IP, and narrowing down the scope of the gateway to only match that hostname.
- Configuring a TLS ingress gateway
Next💣
The application is now running and exposed on the internet.
In the next chapter, we turn our attention to the observability features that are built in to Istio.