Use Gloo Gateway as the ingress gateway to control and secure traffic that enters your service mesh .

A service mesh is a dedicated infrastructure layer that you add your apps to, which ensures secure service-to-service communication across cloud networks. With a service mesh, you can solve problems such as service identity, mutual TLS communication, consistent L7 network telemetry gathering, service resilience, secure traffic routing between services across clusters, and policy enforcement, such as to enforce quotas or rate limit requests. To learn more about the benefits of using a service mesh, see What is Istio in the Istio documentation.

About Istio

The open source project Istio is the leading service mesh implementation that offers powerful features to secure, control, connect, and monitor cloud-native, distributed applications. Istio is designed for workloads that run in one or more Kubernetes clusters, but you can also extend your service mesh to include virtual machines and other endpoints that are hosted outside your cluster. The key benefits of Istio include:

  • Automatic load balancing for HTTP, gRPC, WebSocket, MongoDB, and TCP traffic
  • Secure TLS encryption for service-to-service communication with identity-based authentication and authorization
  • Advanced routing and traffic management policies, such as retries, failovers, and fault injection
  • Fine-grained access control and quotas
  • Automatic logs, metrics, and traces for traffic in the service mesh

About the sidecar Istio integration

Gloo Gateway comes with an Istio integration that allows you to configure your gateway proxy with an Istio sidecar. The Istio sidecar uses mutual TLS (mTLS) to prove its identity and to secure the connection between your gateway and the services in your Istio service mesh. In addition, you can control and secure the traffic that enters the mesh by applying all the advanced routing, traffic management, security, resiliency, and AI capabilities that Gloo Gateway offers.

About this guide

In this guide, you learn how to use Gloo Gateway as an ingress gateway proxy for the workloads in your Istio service mesh . You explore how to enable the Istio sidecar mesh integration in Gloo Gateway, set up your ingress gateway proxy with a sidecar, and send secure mutual TLS traffic to the Bookinfo app as illustrated in the following image.

Before you begin

  1. Follow the Get started guide to install Gloo Gateway.

  2. Follow the Sample app guide to create a gateway proxy with an HTTP listener and deploy the httpbin sample app.

  3. Get the external address of the gateway and save it in an environment variable.

      export INGRESS_GW_ADDRESS=$(kubectl get svc -n gloo-system http -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}")
echo $INGRESS_GW_ADDRESS  
  
      kubectl port-forward deployment/http -n gloo-system 8080:8080

Step 1: Set up an Istio service mesh

  1. Follow the Istio documentation to install Istio in sidecar mode.
  2. Deploy the Bookinfo sample app.
  3. Verify that your Bookinfo apps are up and running.
      kubectl get pods

Step 2: Enable the Istio integration

Upgrade your Gloo Gateway installation to enable the Istio integration.

  1. Get the Helm values for your current Helm installation.

      helm get values gloo-gateway -n gloo-system -o yaml > gloo-gateway.yaml
open gloo-gateway.yaml

  2. Add the following values to the Helm values file to enable the Istio integration in Gloo Gateway.

      
controller:
  extraEnv:
    KGW_ENABLE_ISTIO_AUTO_MTLS: true

  3. Upgrade your Helm installation. This upgrade automatically triggers a restart of any existing gateway proxies to inject istio-proxy and sds containers.

      helm upgrade -i --namespace gloo-system --version 2.0.2 gloo-gateway oci://us-docker.pkg.dev/solo-public/gloo-gateway/charts/gloo-gateway -f gloo-gateway.yaml

Step 3: Update the Istio proxy settings

Create a GatewayParameters resource to configure the Istio SDS container to pull the image from the kgateway repository. The steps vary depending on the following scenarios:

  • Revisioned istiod deployment, such as istiod-main; or custom cluster or mesh IDs.
  • Revisionless Istio without custom cluster or mesh IDs.

Create a GatewayParameters resource to configure the revisioned istiod service address and any custom values for the Istio meta cluster ID and meta mesh ID.

  1. Get the name of the istiod service. Depending on how you set up Istio, you might see a service name with a revision, such as istiod-main.

      kubectl get services -n istio-system

    Example output:

      NAME          TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)                                 AGE
istiod-main   ClusterIP   10.102.24.31   <none>        15010/TCP,15012/TCP,443/TCP,15014/TCP   3h49m

  2. Derive the Kubernetes service address for your istiod deployment. The service address uses the format <service-name>.<namespace>.svc:15012. For example, if your service name is istiod-main, the full service address is istiod-main.istio-system.svc:15012.

  3. Create a GatewayParameters resource to configure the revisioned istiod service address and any custom values for the Istio meta cluster ID and meta mesh ID. Note: If you do not set custom values for the cluster ID and mesh ID, you can omit these values. Then, the default values of Kubernetes for the cluster ID and cluster.local for the mesh ID are used.

      kubectl apply -f- <<EOF
apiVersion: gateway.kgateway.dev/v1alpha1
kind: GatewayParameters
metadata:
  name: custom-gw-params
  namespace: gloo-system
spec:
  kube: 
    istio:
      istioProxyContainer:
        istioDiscoveryAddress: <istiod-service-address> # such as istiod-main.istio-system.svc:15012
        istioMetaClusterId: <cluster-ID> ## such as the cluster name
        istioMetaMeshId: <meta-mesh-ID> ## such as the cluster name
    sdsContainer:
      image:
        registry: cr.kgateway.dev/kgateway-dev
        repository: sds
        tag: v2.1.0-main
EOF

Create a GatewayParameters resource to configure the Istio SDS container to pull the image from the kgateway repository.

  kubectl apply -f- <<EOF
apiVersion: gateway.kgateway.dev/v1alpha1
kind: GatewayParameters
metadata:
  name: custom-gw-params
  namespace: gloo-system
spec:
  kube:
    sdsContainer:
      image:
        registry: cr.kgateway.dev/kgateway-dev
        repository: sds
        tag: v2.1.0-main
EOF

Step 4: Create a gateway proxy

Create or update a Gateway that includes the Istio proxy.

  1. Change the http gateway from the getting started tutorial to apply the custom settings of the GatewayParameters resource.

      kubectl apply -f- <<EOF
kind: Gateway
apiVersion: gateway.networking.k8s.io/v1
metadata:
  name: http
  namespace: gloo-system
spec:
  gatewayClassName: gloo-gateway-v2
  infrastructure:
    parametersRef:
      name: custom-gw-params
      group: gateway.kgateway.dev
      kind: GatewayParameters
  listeners:
  - protocol: HTTP
    port: 8080
    name: http
    allowedRoutes:
      namespaces:
        from: All
EOF

  2. Verify that the gateway proxy is now successfully deployed.

      kubectl get pods -n gloo-system -l gateway.networking.k8s.io/gateway-name=http \
  -o jsonpath='{range .items[*]}Pod: {.metadata.name} | Status: {.status.phase}{"\n"}Containers:{"\n"}{range .spec.containers[*]}- {.name}{"\n"}{end}{"\n"}{end}'

    Example output: Note that pod is running and has three containers, including the istio-proxy.

      Pod: http-f7c7f4b78-pwgnt | Status: Running
Containers:
- kgateway-proxy
- sds
- istio-proxy

    If you do not see the three containers, try restarting the proxy to apply the latest Gateway settings.

Step 5: Verify the integration

  1. Create an HTTPRoute to route requests from the gateway proxy to the productpage app.

      kubectl apply -f- <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: bookinfo
spec:
  parentRefs:
  - name: http
    namespace: gloo-system
  hostnames:
  - istio-sidecar.example
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /productpage
    backendRefs:
      - name: productpage
        port: 9080
EOF

  2. Send a request to the productpage app through the gateway. Verify that you get back a 200 HTTP response code. This response code proves that the gateway proxy can establish a mutual TLS connection to the productpage app.

      curl -I http://$INGRESS_GW_ADDRESS:8080/productpage \
-H "host: istio-sidecar.example:8080"
  
      curl -I http://localhost:8080/productpage \
-H "host: istio-sidecar.example:8080"

    Example output:

      HTTP/1.1 200 OK
content-type: text/html; charset=utf-8
content-length: 4183
server: envoy
x-envoy-upstream-service-time: 29
x-envoy-decorator-operation: productpage.bookinfo.svc.cluster.local:9080/*

Cleanup

You can remove the resources that you created in this guide.

  1. Delete the HTTPRoute and gateway-related resources.

      kubectl delete httproute bookinfo
kubectl delete gatewayparameters custom-gw-params -n gloo-system

  2. Restore the http Gateway from the getting started tutorial.

      kubectl apply -f- <<EOF
kind: Gateway
apiVersion: gateway.networking.k8s.io/v1
metadata:
  name: http
  namespace: gloo-system
spec:
  gatewayClassName: gloo-gateway-v2
  listeners:
  - protocol: HTTP
    port: 8080
    name: http
    allowedRoutes:
      namespaces:
        from: All
EOF

  3. Get the Helm values for your current Helm installation and remove the values that you added in this guide.

      helm get values gloo-gateway -n gloo-system -o yaml > gloo-gateway.yaml
open gloo-gateway.yaml

  4. Upgrade your Helm installation.

      helm upgrade -i --namespace gloo-system --version 2.0.2 gloo-gateway oci://us-docker.pkg.dev/solo-public/gloo-gateway/charts/gloo-gateway -f gloo-gateway.yaml

  5. Follow the Istio documentation to uninstall Istio and remove the Bookinfo sample app.