Ingress Lab

This lab aims to expose the web-frontend service to the internet.

The Ingress Gateway

When Istio was installed, it deployed istiod to Kubernetes and created an Ingress Gateway.

View the corresponding Istio Ingress Gateway pod in the istio-system namespace.

kubectl get pod -l istio=ingressgateway -n istio-system

A corresponding LoadBalancer type service was also created.

kubectl get svc -n istio-system

Make a note of the external IP address for the load balancer.

Assign it to an environment variable.

GATEWAY_IP=$(kubectl get svc -n istio-system public-ingressgateway -ojsonpath='{.status.loadBalancer.ingress[0].ip}')

A small investment.

When the cloud shell connection is severed, or when opening a new terminal tab, $GATEWAY_IP will no longer be in scope.

Ensure GATEWAY_IP is set each time we start a new shell:

cat << EOF >> ~/.bashrc

export GATEWAY_IP=$(kubectl get svc -n istio-system public-ingressgateway -ojsonpath='{.status.loadBalancer.ingress[0].ip}')

EOF

Usually, we associate this IP address with a hostname via DNS. For the sake of simplicity, in this workshop, we will use the gateway public IP address directly.

Configuring Ingress

Configuring Ingress with Istio is performed in two parts:

1. Define a Gateway custom resource that governs the specific host, port, and protocol to expose.
2. Specify how requests should be routed with a VirtualService custom resource.

Create a Gateway resource

1. Review the following Gateway specification.

   gateway.yaml

   ---
   apiVersion: networking.istio.io/v1alpha3
   kind: Gateway
   metadata:
     name: frontend-gateway
   spec:
     selector:
       istio: ingressgateway
     servers:
       - port:
           number: 80
           name: http
           protocol: HTTP
         hosts:
           - "*"
   

   Above, we specify the HTTP protocol, port 80, and a wildcard (“*”) host matcher, ensuring that HTTP requests using the load balancer IP address $GATEWAY_IP will match.

   The selector istio: ingressgateway ensures that this gateway resource binds to the physical Ingress Gateway.

2. Apply the gateway resource to your cluster.

   kubectl apply -f gateway.yaml
   

3. Attempt an HTTP request in your browser to the gateway IP address. It should return a 404 (not found).

Create a VirtualService resource

1. Review the following VirtualService specification.

   web-frontend-virtualservice.yaml

   ---
   apiVersion: networking.istio.io/v1alpha3
   kind: VirtualService
   metadata:
     name: web-frontend
   spec:
     hosts:
       - "*"
     gateways:
       - frontend-gateway
     http:
       - route:
           - destination:
               host: web-frontend.default.svc.cluster.local
               port:
                 number: 80
   

   Note how this specification references the name of the gateway (“frontend-gateway”), a matching host (“*”), and specifies a route for requests to be directed to the web-frontend service.

2. Apply the virtual service resource to your cluster.

   kubectl apply -f web-frontend-virtualservice.yaml
   

3. List virtual services in the default namespace.

   kubectl get virtualservice
   

   The output indicates that the web-frontend virtual service is bound to the gateway and any hostname that routes to the load balancer IP address.

Finally, verify that you can access web-frontend from your web browser using the gateway IP address.

curl $GATEWAY_IP | head

Candidate follow-on exercises

We will not explore Ingress any further in this workshop. Consider the following tasks as independent exercises:

• Creating a DNS A record for the gateway IP and narrowing down the scope of the gateway to only match that hostname.
• Configuring a TLS Ingress Gateway

Next

The application is now running and exposed on the internet.

Our next chapter will cover the observability features of Istio.