The options to deploy an ingress gateway vary based on the traffic management API that you want to use. Note that although you can use either the Kubernetes Gateway API or the Istio API, the Kubernetes Gateway API is the recommended method by Istio for service meshes.

Kubernetes Gateway API link

To use the Kubernetes Gateway API custom resources to configure traffic management in your service mesh, you can deploy Gateway resources that expose your services. Note that using the Kubernetes Gateway API is the recommended method by Istio for service meshes. For more information about using the Gateway API in Istio, see this blog post.

To set up an ingress gateway, you can use Gloo Gateway, or use the native Kubernetes Gateway API directly.

Gloo Gateway (recommended) link

Use Gloo Gateway as the ingress gateway for your service mesh. Gloo Gateway is fully conformant with the Kubernetes Gateway API and extends its functionality with Solo’s custom Gateway APIs, such as RouteOption, VirtualHostOption, Upstreams, RateLimitConfig, or AuthConfig. These resources help to centrally configure routing, security, and resiliency rules for a specific component, such as a host, route, or gateway listener.

To get started, follow the Ingress to Istio sidecar mesh with virtual destinations (GME) in the Gloo Gateway docs to integrate Gloo Gateway with your service mesh. This guide includes steps to expose the Bookinfo product page app on the gateway proxy, and expose the VirtualDestination for the reviews app on your gateway proxy directly.

Native Kubernetes Gateway API link

To use the native Kubernetes Gateway API, you can follow the Ingress gateways guide in the community Istio docs. Be sure to use the Gateway API resources option in the steps.

Istio networking API link

To use the classic Istio networking API to configure traffic management in your service mesh, you can deploy an Istio ingress gateway by using Helm.

1. If you have not already, set environment variables for the Solo distribution of Istio that you want to install. You can find these values in the Istio images built by Solo.io support article.

     # Solo distrubution of Istio patch version
   # in the format 1.x.x, with no tags
   export ISTIO_VERSION=1.24.2
   # Repo key for the minor version of the Solo distribution of Istio
   # This is the 12-character hash at the end of the repo URL: 'us-docker.pkg.dev/gloo-mesh/istio-<repo-key>'
   export REPO_KEY=<repo_key>
   Solo distrubution of Istio patch version and Solo tag link
   Optionally append other Solo tags as needed link
   export ISTIO_IMAGE=${ISTIO_VERSION}-solo
   Solo distribution of Istio image repo link
   export REPO=us-docker.pkg.dev/gloo-mesh/istio-${REPO_KEY}
   

2. Get the revision that you used for your installation. Typically, this is main for a Helm installation, or gloo for a Gloo operator installation.

     export REVISION=$(kubectl get pod -L app=istiod -n istio-system -o jsonpath='{.items[0].metadata.labels.istio\.io/rev}')      
   echo ${REVISION}
     

3. Prepare a Helm values file for the Istio ingress gateway. This sample command downloads an example file, ingress-gateway.yaml, and updates the environment variables with the values that you previously set. You can further edit the file to provide your own details for production-level settings.

     curl -0L https://raw.githubusercontent.com/solo-io/gloo-mesh-use-cases/main/gloo-mesh-enterprise/istio-install/manual-helm/ingress-gateway-1.24+.yaml > ingress-gateway.yaml
   envsubst < ingress-gateway.yaml > ingress-gateway-values.yaml
     

4. Create the ingress gateway.

     helm upgrade --install istio-ingressgateway istio/gateway \
     --version ${ISTIO_VERSION} \
     --namespace istio-ingress \
     --create-namespace \
     --kube-context ${CLUSTER_CONTEXT} \
     --wait \
     -f ingress-gateway-values.yaml
     

5. Verify that the ingress gateway pods are running and the load balancer service is assigned an external address.

     kubectl get pods,svc -n istio-ingress --context ${CLUSTER_CONTEXT}
     

   Example output:

     NAME                                    READY   STATUS    RESTARTS   AGE
   istio-ingressgateway-665d46686f-nhh52   1/1     Running   0          106s
   istio-ingressgateway-665d46686f-tlp5j   1/1     Running   0          2m1s
   NAME                        TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)                                                                                                      AGE
   istio-ingressgateway        LoadBalancer   10.96.252.49    <externalip>  15021:32378/TCP,80:30315/TCP,443:32186/TCP,31400:30313/TCP,15443:31632/TCP                                   2m2s
     

   info

   AWS clusters only: For the Elastic Load Balancer (ELB) instance that is automatically created for you to back the ingress gateway service, verify that the health check shows a healthy state. Gloo Mesh configures the ingress gateway to listen on HTTPS port 15443. However, when the ELB is created, the first port that is defined in the Kubernetes service manifest is used to perform the health check. This port might be different from the port that Gloo Mesh configures. For your ELB health check to pass, you might need to configure the load balancer to run the health check on port 15443.

6. You can now use the Istio networking API resources, such as Istio Gateways and VirtualServices, to route to apps in your service mesh.

Next link

• If you haven’t already, install Gloo Mesh Enterprise so that Gloo Mesh Enterprise can manage your Istio resources. You don’t need to directly configure any Istio resources going forward.
• Review how Gloo Mesh custom resources are automatically translated into Istio resources.
• Apply Gloo policies to manage the security and resiliency of your service mesh environment.
• When it’s time to upgrade your service mesh, you can perform a safe in-place upgrade by using the Gloo operator or Helm.