Ingress to single cluster mesh

Use Gloo Gateway as the ingress gateway for your ambient mesh.

About ambient mesh

Solo.io and Google collaborated to develop ambient mesh , a new “sidecarless” architecture for the Istio service mesh. Ambient mesh uses node-level ztunnels to route and secure Layer 4 traffic between pods with mutual TLS (mTLS). Waypoint proxies enforce Layer 7 traffic policies whenever needed. To onboard apps into the ambient mesh, you simply label the namespace the app belongs to. Because no sidecars need to be injected in to your apps, ambient mesh significantly reduces the complexity of adopting a service mesh.

To learn more about ambient, see the ambient mesh documentation.

About this guide

In this guide, you learn how to use Gloo Gateway as the ingress gateway to route traffic to the httpbin app that is part of an ambient service mesh.

This guide assumes that you run your ambient mesh in a single cluster and want to use Gloo Gateway as the ingress gateway to protect your ambient mesh services.

Ingress gateway integration for an ambient mesh

Before you begin

Follow the Get started guide to install Gloo Gateway.
Follow the Sample app guide to create a gateway proxy with an HTTP listener and deploy the httpbin sample app.

Get the external address of the gateway and save it in an environment variable.

export INGRESS_GW_ADDRESS=$(kubectl get svc -n gloo-system http -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}")
echo $INGRESS_GW_ADDRESS

kubectl port-forward deployment/http -n gloo-system 8080:8080

Step 1: Enable the Istio integration

Upgrade your Gloo Gateway installation to enable the Istio integration so that Gloo Gateway works with Istio DestinationRules.

Get the Helm values for your current Helm installation.

helm get values gloo-gateway -n gloo-system -o yaml > gloo-gateway.yaml
open gloo-gateway.yaml

Add the following values to the Helm values file to enable the Istio integration in Gloo Gateway.
```
controller:
  extraEnv:
    KGW_ENABLE_ISTIO_INTEGRATION: true
```

Upgrade your Helm installation.

helm upgrade -i --namespace gloo-system --version 2.0.2 gloo-gateway oci://us-docker.pkg.dev/solo-public/gloo-gateway/charts/gloo-gateway -f gloo-gateway.yaml

Step 2: Set up an ambient mesh

Set up an ambient mesh in your cluster to secure service-to-service communication with mutual TLS. You can use Solo.io’s Gloo Operator to install a managed ambient mesh, or manually install and manage your own ambient mesh installation.

If you plan to use Gloo Gateway as a waypoint proxy, you must use Solo Enterprise for agentgateway as the data plane proxy. Also, the ambient mesh must be installed with Istio version 1.24 or later for a single cluster setup, and 1.25 or later for a multicluster setup. For more information, see the version compatability matrix.

Solo distribution of Istio: The -solo distribution of Istio is a hardened Istio enterprise image, which maintains n-4 support for CVEs and other security fixes. Note that a Solo Enterprise for Istio Enterprise-level license is required to install the Solo distribution of Istio. Choose from the following options for installing ambient.
- Managed ambient mesh with Gloo Operator: Follow the Install managed ambient meshes guide in the Solo Enterprise for Istio docs to quickly install a managed Solo distribution of Istio by using the Gloo Operator.
- Manual ambient mesh installation: Manually install a -solo distribution of Istio.
- Manual ambient mesh installation: Manually install a -solo distribution of Istio.
Community ambient mesh: Install the community version of ambient mesh by following the ambient mesh quickstart tutorial. This tutorial uses a script to quickly set up an ambient mesh in your cluster. You do not need to create an Istio ingress gateway as you configure Gloo Gateway as the ingress gateway for your ambient mesh.

Step 3: Set up the ingress gateway

To set up Gloo Gateway as the ingress gateway for your ambient mesh, you simply add all the namespaces that you want to secure to your ambient mesh, including the namespace that your gateway proxy is deployed to.

Add the httpbin and optionally the gloo-system namespace to your ambient mesh. The label instructs istiod to configure a ztunnel socket on all the pods in that namespace so that traffic to these pods is secured via mutual TLS (mTLS). If you do not label the gloo-system namespace, the traffic from the gateway proxy to the app is not secured via mTLS.
```
kubectl label ns gloo-system istio.io/dataplane-mode=ambient
kubectl label ns httpbin istio.io/dataplane-mode=ambient
```

Send a request to the httpbin app and verify that you get back a 200 HTTP response code. All traffic from the gateway is automatically intercepted by a ztunnel that is co-located on the same node as the gateway. The ztunnel collects Layer 4 metrics before it forwards the request to the ztunnel that is co-located on the same node as the httpbin app. The connection between ztunnels is secured via mutual TLS.

curl -i http://$INGRESS_GW_ADDRESS:8080/headers -H "host: www.example.com:8080"

Example output:

HTTP/1.1 200 OK
...
{
 "headers": {
   "Accept": [
     "*/*"
    ],
    "Host": [
      "www.example.com:8080"
    ],
    "User-Agent": [
      "curl/8.7.1"
    ],
    "X-Envoy-Expected-Rq-Timeout-Ms": [
      "15000"
    ],
    "X-Forwarded-Proto": [
      "http"
    ],
   "X-Request-Id": [
      "929c334b-e611-4aba-9bc6-ad6b2450db26"
    ]
  }
}

Port-forward the http pod on port 8080.

kubectl port-forward deployment/http -n gloo-system 8080:8080

Send a request to the httpbin app and verify that you get back a 200 HTTP response code.

curl -i localhost:8080/headers -H "host: www.example.com"

Example output:

HTTP/1.1 200 OK
...
{
"headers": {
"Accept": [
"*/*"
],
"Host": [
   "www.example.com:8080"
],
"User-Agent": [
   "curl/8.7.1"
],
"X-Envoy-Expected-Rq-Timeout-Ms": [
   "15000"
],
"X-Forwarded-Proto": [
   "http"
],
"X-Request-Id": [
   "929c334b-e611-4aba-9bc6-ad6b2450db26"
]
 }
}

Verify that traffic between the gateway proxy and the httpbin app is secured via mutual TLS. Because traffic in an ambient mesh is intercepted by the ztunnels that are co-located on the same node as the sending and receiving service, you can check the logs of the ztunnels.

Find the NODE that the httpbin app runs on.

kubectl get pods -n httpbin -o wide

Example output:

NAME                       READY   STATUS    RESTARTS   AGE   IP           NODE                                                  NOMINATED NODE   READINESS GATES
httpbin-54cf575757-hdv8t   3/3     Running   0          22h   10.XX.X.XX   gke-ambient-default-pool-bb9a8da5-bdf4   <none>           <none>

Find the ztunnel that runs on the same node as the httpbin app.
```
kubectl get pods -n istio-system -o wide | grep ztunnel
```

Check the logs of that ztunnel instance and verify that the source and destination workloads have a SPIFFE ID.

kubectl logs <ztunnel-instance> -n istio-system

Example output:

2025-03-19T17:32:42.762545Z	info	http access	request complete	src.addr=10.0.71.117:42468 src.workload="http-9db6c8995-l54dw" src.namespace="gloo-system" src.identity="spiffe://cluster.local/ns/gloo-system/sa/http" dst.addr=10.0.65.144:15008 dst.hbone_addr=10.0.65.144:8080 dst.service="httpbin.httpbin.svc.cluster.local" dst.workload="httpbin-577649ddb-7nc8p" dst.namespace="httpbin" dst.identity="spiffe://cluster.local/ns/httpbin/sa/httpbin" direction="inbound" method=GET path="/headers" protocol=HTTP1 response_code=200 host="www.example.com:8080" user_agent="curl/8.7.1" request_id="4c5fc679-c5cd-4721-8735-51bcdbea6e0f" duration="0ms"
2025-03-19T17:32:46.810472Z	info	access	connection complete	src.addr=10.0.71.117:42468 src.workload="http-9db6c8995-l54dw" src.namespace="gloo-system" src.identity="spiffe://cluster.local/ns/gloo-system/sa/http" dst.addr=10.0.65.144:15008 dst.hbone_addr=10.0.65.144:8080 dst.service="httpbin.httpbin.svc.cluster.local" dst.workload="httpbin-577649ddb-7nc8p" dst.namespace="httpbin" dst.identity="spiffe://cluster.local/ns/httpbin/sa/httpbin" direction="inbound" bytes_sent=1290 bytes_recv=550 duration="6742ms"

Optional: Expose the Bookinfo sample app

You can optionally deploy the Bookinfo sample app to your ambient mesh, and verify that Gloo Gateway correctly routes requests to its services.

Add Bookinfo to the ambient mesh

For testing purposes, you can deploy Bookinfo, the Istio sample app, and add it to your ambient mesh. Note that if you already followed the example to deploy Bookinfo in the Solo Enterprise for Istio docs, you can continue to the next section.

Create the bookinfo namespace, and label it with the istio.io/dataplane-mode=ambient label. This label adds all Bookinfo services that you create in the namespace to the ambient mesh.
```
kubectl create ns bookinfo
kubectl label namespace bookinfo istio.io/dataplane-mode=ambient
```

Deploy the Bookinfo app.

# deploy bookinfo application components for all versions
kubectl -n bookinfo apply -f https://raw.githubusercontent.com/istio/istio/1.27.8/samples/bookinfo/platform/kube/bookinfo.yaml -l 'app'
# deploy an updated product page with extra container utilities such as 'curl' and 'netcat'
kubectl -n bookinfo apply -f https://raw.githubusercontent.com/solo-io/doc-examples/main/istio/sample-apps/productpage-with-curl.yaml
# deploy all bookinfo service accounts
kubectl -n bookinfo apply -f https://raw.githubusercontent.com/istio/istio/1.27.8/samples/bookinfo/platform/kube/bookinfo.yaml -l 'account'

Verify that the Bookinfo app is deployed successfully.
```
kubectl get pods,svc -n bookinfo
```

Verify that you can access the ratings app from the product page app.

kubectl -n bookinfo debug -i pods/$(kubectl get pod -l app=productpage -A -o jsonpath='{.items[0].metadata.name}') --image=curlimages/curl -- curl -v http://ratings:9080/ratings/1

Example output:

...
< HTTP/1.1 200 OK
< Content-type: application/json
< Date: Tue, 24 Dec 2024 20:58:23 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5
< Transfer-Encoding: chunked
< 
{ [59 bytes data]
100    48    0    48    0     0   2549      0 --:--:-- --:--:-- --:--:--  2666
* Connection #0 to host ratings left intact
{"id":1,"ratings":{"Reviewer1":5,"Reviewer2":4}}

Route to Bookinfo services

To expose the app to incoming traffic requests, you create an HTTPRoute resource that references the product page microservice.

Create an HTTPRoute resource that defines routing rules for each microservice path.

kubectl apply -n bookinfo -f- <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: bookinfo
spec:
  parentRefs:
  - name: http
    namespace: gloo-system
  rules:
  - matches:
    - path:
        type: Exact
        value: /productpage
    - path:
        type: PathPrefix
        value: /static
    - path:
        type: Exact
        value: /login
    - path:
        type: Exact
        value: /logout
    - path:
        type: PathPrefix
        value: /api/v1/products
    backendRefs:
      - name: productpage
        port: 9080
EOF

Verify that Gloo Gateway correctly routes traffic requests to Bookinfo services in your ambient mesh by opening the product page in your web browser.
```
open http://$INGRESS_GW_ADDRESS:8080/productpage 
```

Optional: Review ambient traffic in the Gloo UI

Use the Gloo UI graph to visualize the traffic flow through your ambient mesh, and open the built-in Prometheus expression browser to verify that traffic between services is secured via mutual TLS.

Use the Gloo UI graph

Install or upgrade the Gloo UI. Be sure to include your license key for the Solo distribution of Istio in your Gloo UI Helm values, so that you can review ambient mesh traffic in the Gloo UI graph. If you already installed the Gloo UI, you can use the guide to upgrade your installation with your license key.

Port-forward the gloo-mesh-ui service on 8090.

kubectl port-forward -n gloo-system svc/gloo-mesh-ui 8090:8090 --context $REMOTE_CONTEXT1

Open your browser and connect to http://localhost:8090.
```
open http://localhost:8090/
```
Go to Graph.
Verify that you see traffic between the gateway proxy and the Bookinfo app as shown in the following image.
Figure: Gloo UI Graph
Figure: Gloo UI Graph

View metrics

Port-forward the built-in Prometheus expression browser.

kubectl -n gloo-mesh port-forward deploy/prometheus-server 9091

Open the Prometheus expression browser.

Enter istio_requests_total{destination_workload_namespace="httpbin"} into the query field and review the results. Verify that you see a SPIFFE ID for the source and destination workload and that the connection_security_policy is set to mutual_tls. Example output:

istio_requests_total{app="gloo-telemetry-collector-agent", cluster="gloo-gateway-ambient-mgt", 
collector_pod="gloo-telemetry-collector-79f767f765-bqqhb", component="standalone-collector", 
connection_security_policy="mutual_tls", destination_cluster="gloo-gateway-ambient-mgt", 
destination_principal="spiffe://gloo-gateway-ambient-mgt/ns/httpbin/sa/httpbin", 
destination_service="httpbin.httpbin.svc.cluster.local", destination_workload="httpbin", 
destination_workload_id="httpbin.httpbin.gloo-gateway-ambient-mgt", 
destination_workload_namespace="httpbin", namespace="istio-system", reporter="destination", 
response_code="200", response_flags="-", source_cluster="gloo-gateway-ambient-mgt",
source_principal="spiffe://gloo-gateway-ambient-mgt/ns/gloo-system/sa/gloo-proxy-http", 
source_workload="gloo-proxy-http", source_workload_namespace="gloo-system",
workload_id="gloo-proxy-http.gloo-system.gloo-gateway-ambient-mgt"}

Ingress to multicluster mesh