Configure ingress gateways

Learn to use Gloo Mesh Gateway for incoming network traffic, also called “ingress,” “edge,” or “north-south” traffic.

By using Gloo Mesh Gateway for north-south routing, you can use the Gloo Mesh management plane to configure ingress gateways and routes across multiple clusters and service meshes in your environment. This allows you to configure your north-south routing setup alongside your east-west microservice routing, and use the Gloo Mesh observability suite to monitor all traffic flows in your environment.

Before you begin

  1. Make sure that you have a Gloo Mesh Gateway license key, or contact an account representative.
  2. Review the example architectures to decide how to set up your ingress gateways.
  3. Install Gloo Mesh with your gateway license instead of a standard Gloo Mesh Enterprise license. To install Gloo Mesh, you might use one of the following guides.
  4. Save the cluster names and Kubernetes contexts as the following environment variables.
    export MGMT_CLUSTER=mgmt-cluster
    export REMOTE_CLUSTER1=cluster-1
    export REMOTE_CLUSTER2=cluster-2
    export MGMT_CONTEXT=mgmt-cluster
    export REMOTE_CONTEXT1=cluster-1
    export REMOTE_CONTEXT2=cluster-2
    

Install Istio ingress gateway profile

Commonly, the Istio ingress gateway, which is exposed by a Kubernetes load balancer service, is the targeted listener in north-south routing configurations. The Istio ingress gateway operates at the edge of the mesh for incoming (ingress) and outgoing (egress) connections.

  1. Decide on the ingress gateway setup that you want to deploy.
    • Can I use any gateway deployment? You can use a gateway that is based off the Istio image, or the Solo-provided Istio image. However, to unlock advanced Gloo Mesh Gateway features based on custom Envoy extensions, such as XSLT tranformations, you must use the Solo Istio image.
    • Can I see an example? Istio provides example gateway configurations that you can use, or you can use the following Gloo Mesh example ingress-gateway deployment (Istio version 1.13).
    • Do I have to manage the gateway? The example uses an Istio operator plus auto-injection of the Envoy sidecar to simplify lifecycle management. When you need to upgrade the Istio version or configuration, you can update the Istio operator resource. Then, the operator applies the corresponding configuration upgrades to the resources that it manages for you. Because the ingress gateway also uses auto-injection, the operator can upgrade the gateway with a simple restart.
  2. Deploy Istio with the ingress gateway setup that you want to use. Make sure to install the Bookinfo sample app to test your setup. Choose from the following options:

Configure virtual gateways

After deploying Istio ingress gateways, use a Gloo Mesh virtual gateway custom resource to consistently configure the ports, protocol, and TLS certificates.

  1. Review the following sample configuration file.

    apiVersion: networking.gloo.solo.io/v2
    kind: VirtualGateway
    metadata:
      name: north-south-gw
      namespace: bookinfo
    spec:
      listeners:
      - allowedRouteTables:
        - host: www.example.com
        http: {}
        port:
          number: 443
        tls:
          mode: SIMPLE
          secretName: gw-ssl-1-secret
      workloads:
      - selector:
          labels:
            istio: ingressgateway
    

    Review the following table to understand this configuration. For more information, see the API reference.

    Setting Description
    metadata Give a name and namespace for the virtual gateway. The namespace must be part of the workspace that you want the virtual gateway to manage gateways for.
    spec.listeners Set up the hostname and port that you want the gateway to listen for traffic on. You can specify which route tables bind to the virtual gateway by filtering on the host names in the allowedRouteTables setting. You might have more than one listener to configure different hosts, ports, and TLS secrets. For more information on TLS, see Secure gateways.
    spec.workloads Select the Istio ingress gateways that you want the virtual gateway to configure. You installed these gateways in the previous section.
  2. Make sure that you have the related Gloo Mesh workspace and networking resources set up in your workload cluster. If not, review and apply the following examples.

    1. Download the following Gloo Mesh setup resources.
      • Route table: This example forwards traffic from the www.example.com host to the ratings service via the virtual gateway. For more information, see Route requests.
      • Virtual gateway: This example includes the information that you reviewed in the previous step. Note that the www.example.com host that the gateway listens on matches the host that is configured in the route table.
      • Workspace settings: Note that the workspace includes the namespaces that the route table, virtual gateway, and Bookinfo apps run in. Otherwise, you must set up importing and exporting for your workspaces. For more information, see Configure workspace settings.
    2. Apply the downloaded files to your management cluster.
      kubectl apply -f route-table_bookinfo_www-example-com.yaml --context ${REMOTE_CONTEXT1}
      kubectl apply -f virtual-gateway_bookinfo_north-south-gw.yaml --context ${REMOTE_CONTEXT1}
      kubectl apply -f workspace-settings_bookinfo_anything.yaml --context ${REMOTE_CONTEXT1}
      
  3. Get the address of the Istio ingress gateway on cluster1.

    
       export CLUSTER_1_INGRESS_ADDRESS=$(kubectl --context $REMOTE_CONTEXT1 get svc -n istio-system istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
       
    
       export CLUSTER_1_INGRESS_ADDRESS=$(kubectl --context $REMOTE_CONTEXT1 get svc -n istio-system istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
       

    Note: Depending on your environment, you might see <pending> instead of an external IP address. For example, if you are testing locally in kind or minikube, or if you have insufficent permissions in your cloud platform, you can instead port-forward the service port of the ingress gateway:

    kubectl --context $REMOTE_CONTEXT1 -n istio-system port-forward deploy/istio-ingressgateway 8081
    
  4. Test the route by sending a request to the ratings service. If you used port forwarding, substitute localhost:8081 for the ingress address.

    curl -H "Host: www.example.com" $CLUSTER_1_INGRESS_ADDRESS/ratings/1
    

    Example succesful response:

    {"id":1,"ratings":{"Reviewer1":5,"Reviewer2":4}}
    

    If you see an unsuccessful response such as the following, check the health of your Bookinfo pods and make sure that they are running.

    curl: (52) Empty reply from server
    

Next steps

Now that you have the virtual gateway configured, you can add other Gloo Mesh resources to control traffic that is routed through the gateway.

A good place to start is the Multicluster federation and isolation with Bookinfo tutorial.

Next, you might want to try more advanced security features and traffic policies.