Ingress to multicluster mesh
Use Gloo Gateway as the ingress gateway to a multicluster ambient mesh.
About ambient mesh
Solo collaborated with Google to develop ambient mesh, a new “sidecarless” architecture for the Istio service mesh. Ambient mesh uses node-level ztunnels to route and secure Layer 4 traffic between pods with mutual TLS (mTLS). Waypoint proxies enforce Layer 7 traffic policies whenever needed. To onboard apps into the ambient mesh, you simply label the namespace the app belongs to. Because no sidecars need to be injected in to your apps, ambient mesh significantly reduces the complexity of adopting a service mesh.
To learn more about ambient, see the ambient mesh documentation.
About this guide
This feature requires both a Gloo Mesh (OSS APIs) and a Gloo Gateway Enterprise license. If you do not have these licenses, contact an account representative. For more information, see the version compatability maxtrix.
Set up a multicluster ambient mesh and expose apps across multiple clusters with a global hostname. Then, use your gateway proxy to load balance ambient mesh traffic across your clusters.
This guide assumes that you have two clusters, ${REMOTE_CLUSTER1} and ${REMOTE_CLUSTER2}, that you want to install ambient meshes in and link together. Gloo Gateway is installed in ${REMOTE_CLUSTER1} alongside your ambient mesh workloads. To try out the multicluster routing capabilities, you deploy the Bookinfo app in both clusters. Then, you expose the productpage app across clusters with a global hostname, productpage.bookinfo.mesh.internal. Gloo Gateway uses the global hostname to route traffic to the productpage apps in both clusters.
Before you begin
Follow the Get started guide to install Gloo Gateway.
Follow the Sample app guide to create a gateway proxy with an HTTP listener and deploy the httpbin sample app.
Get the external address of the gateway and save it in an environment variable.
Step 1: Set up a multicluster ambient mesh
Follow the multicluster ambient mesh setup guide in the Gloo Mesh documentation to install ambient in two clusters,
${REMOTE_CLUSTER1}and${REMOTE_CLUSTER2}. The steps include setting up a shared root of trust, installing ambient in each cluster, and linking both clusters to create your multicluster ambient mesh. You can choose between the following installation methods:This guide assumes that Gloo Gateway is installed in${REMOTE_CLUSTER1}.Add the
gloo-systemnamespace to your ambient mesh. This label ensures that traffic from the gateway proxy to your apps are secured via mTLS.kubectl label ns gloo-system istio.io/dataplane-mode=ambient --context ${REMOTE_CONTEXT1}
Step 2: Set up multicluster routing
Before setting up routing through the ingress gateway, verify multicluster routing within the mesh.
Make sure that you can route from the ratings app to the global hostname that the productpage apps are exposed on.
kubectl -n bookinfo --context ${REMOTE_CONTEXT1} debug -i pods/$(kubectl get pod -l app=ratings \ --context ${REMOTE_CONTEXT1} -A -o jsonpath='{.items[0].metadata.name}') \ --image=curlimages/curl -- curl -vik http://productpage.bookinfo.mesh.internal:9080/productpageScale down the productpage app in
${REMOTE_CLUSTER1}.kubectl scale deployment productpage-v1 -n bookinfo --context ${REMOTE_CONTEXT1} --replicas=0Repeat the request to the productpage app. Because the productpage app is scaled down in
${REMOTE_CLUSTER1}, traffic is forced to go to the productpage app in${REMOTE_CLUSTER2}. Verify that you continue to see a 200 HTTP response code.kubectl -n bookinfo --context ${REMOTE_CONTEXT1} debug -i pods/$(kubectl get pod -l app=ratings \ --context ${REMOTE_CONTEXT1} -A -o jsonpath='{.items[0].metadata.name}') \ --image=curlimages/curl -- curl -vik http://productpage.bookinfo.mesh.internal:9080/productpageScale up the productpage app in
${REMOTE_CLUSTER1}.kubectl scale deployment productpage-v1 -n bookinfo --context ${REMOTE_CONTEXT1} --replicas=1
Create an HTTPRoute to expose the global hostname for the productpage app along the
/productpageprefix path on thehttpGateway that you created in the get started tutorial.kubectl apply --context ${REMOTE_CONTEXT1} -f- <<EOF apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: productpage namespace: gloo-system spec: parentRefs: - name: http namespace: gloo-system rules: - matches: - path: type: PathPrefix value: /productpage backendRefs: - name: productpage.bookinfo.mesh.internal port: 9080 kind: Hostname group: networking.istio.io EOFVerify multicluster routing through the ingress gateway.
Send a request through the ingress gateway along the
/productpagepath. Verify that you get back a 200 HTTP response code.curl -I http://$INGRESS_GW_ADDRESS:8080/productpageExample output:
HTTP/1.1 200 OK content-type: text/html; charset=utf-8 content-length: 5179 server: envoy x-envoy-upstream-service-time: 133Scale down the productpage app in
${REMOTE_CLUSTER1}.kubectl scale deployment productpage-v1 -n bookinfo --context ${REMOTE_CONTEXT1} --replicas=0Repeat the request along the
/productpagepath. Because the product page app is scaled down in${REMOTE_CLUSTER1}, traffic is forced to go to the productpage app in${REMOTE_CLUSTER2}. Verify that you continue to see a 200 HTTP response code.curl -I http://$INGRESS_GW_ADDRESS:8080/productpageExample output:
HTTP/1.1 200 OK content-type: text/html; charset=utf-8 content-length: 5179 server: envoy x-envoy-upstream-service-time: 133Scale up the productpage app in
${REMOTE_CLUSTER1}.kubectl scale deployment productpage-v1 -n bookinfo --context ${REMOTE_CONTEXT1} --replicas=1
Optional: Review ambient traffic in the Gloo UI
Use the Gloo UI graph to visualize the traffic flow through your ambient mesh, and open the built-in Prometheus expression browser to verify that traffic between services is secured via mutual TLS.
Use the Gloo UI graph
Install or upgrade the Gloo UI. Be sure to include your license key for the Solo distribution of Istio in your Gloo UI Helm values, so that you can review ambient mesh traffic in the Gloo UI graph. If you already installed the Gloo UI, you can use the guide to upgrade your installation with your license key.
Port-forward the
gloo-mesh-uiservice on 8090.kubectl port-forward -n gloo-system svc/gloo-mesh-ui 8090:8090 --context $REMOTE_CONTEXT1Open your browser and connect to http://localhost:8090.
open http://localhost:8090/Go to Graph.
Verify that you see traffic between the gateway proxy and the Bookinfo app as shown in the following image.
View metrics
Port-forward the built-in Prometheus expression browser.
kubectl -n gloo-mesh port-forward deploy/prometheus-server 9091Open the Prometheus expression browser.
Enter
istio_requests_total{destination_workload_namespace="httpbin"}into the query field and review the results. Verify that you see a SPIFFE ID for the source and destination workload and that theconnection_security_policyis set tomutual_tls. Example output:istio_requests_total{app="gloo-telemetry-collector-agent", cluster="gloo-gateway-ambient-mgt", collector_pod="gloo-telemetry-collector-79f767f765-bqqhb", component="standalone-collector", connection_security_policy="mutual_tls", destination_cluster="gloo-gateway-ambient-mgt", destination_principal="spiffe://gloo-gateway-ambient-mgt/ns/httpbin/sa/httpbin", destination_service="httpbin.httpbin.svc.cluster.local", destination_workload="httpbin", destination_workload_id="httpbin.httpbin.gloo-gateway-ambient-mgt", destination_workload_namespace="httpbin", namespace="istio-system", reporter="destination", response_code="200", response_flags="-", source_cluster="gloo-gateway-ambient-mgt", source_principal="spiffe://gloo-gateway-ambient-mgt/ns/gloo-system/sa/gloo-proxy-http", source_workload="gloo-proxy-http", source_workload_namespace="gloo-system", workload_id="gloo-proxy-http.gloo-system.gloo-gateway-ambient-mgt"}
Next
Now that you set up Gloo Gateway as the ingress gateway for your multicluster ambient mesh, you can further control and secure ingress traffic with Gloo Gateway policies.