Ingress to multicluster mesh

About ambient mesh link

Solo collaborated with Google to develop ambient mesh, a new “sidecarless” architecture for the Istio service mesh. Ambient mesh uses node-level ztunnels to route and secure Layer 4 traffic between pods with mutual TLS (mTLS). Waypoint proxies enforce Layer 7 traffic policies whenever needed. To onboard apps into the ambient mesh, you simply label the namespace the app belongs to. Because no sidecars need to be injected in to your apps, ambient mesh significantly reduces the complexity of adopting a service mesh.

To learn more about ambient, see the ambient mesh documentation.

About this guide link

Set up a multicluster ambient mesh and expose apps across multiple clusters with a global hostname. Then, use your gateway proxy to load balance ambient mesh traffic across your clusters.

This guide assumes that you have two clusters, ${REMOTE_CLUSTER1} and ${REMOTE_CLUSTER2}, that you want to install ambient meshes in and link together. Solo Enterprise for kgateway is installed in ${REMOTE_CLUSTER1} alongside your ambient mesh workloads. To try out the multicluster routing capabilities, you deploy the Bookinfo app in both clusters. Then, you expose the productpage app across clusters with a global hostname, productpage.bookinfo.mesh.internal. Solo Enterprise for kgateway uses the global hostname to route traffic to the productpage apps in both clusters.

Before you begin link

1. Follow the Get started guide to install Solo Enterprise for kgateway.

2. Follow the Sample app guide to create a gateway proxy with an HTTP listener and deploy the httpbin sample app.

3. Get the external address of the gateway and save it in an environment variable.

     export INGRESS_GW_ADDRESS=$(kubectl get svc -n kgateway-system http -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}")
   echo $INGRESS_GW_ADDRESS  
     

     kubectl port-forward deployment/http -n kgateway-system 8080:8080
     

Step 1: Enable the Istio integration link

Upgrade your Solo Enterprise for kgateway installation to enable the Istio integration so that Solo Enterprise for kgateway works with Istio DestinationRules.

1. Get the Helm values for your current Helm installation.

     helm get values enterprise-kgateway -n kgateway-system -o yaml > enterprise-kgateway.yaml
   open enterprise-kgateway.yaml
     

2. Add the following values to the Helm values file to enable the Istio integration in Solo Enterprise for kgateway.

     
   controller:
     extraEnv:
       KGW_ENABLE_ISTIO_INTEGRATION: true
     

3. Upgrade your Helm installation.

     helm upgrade -i --namespace kgateway-system --version 2.1.5 enterprise-kgateway oci://us-docker.pkg.dev/solo-public/enterprise-kgateway/charts/enterprise-kgateway -f enterprise-kgateway.yaml
     

Step 2: Set up a multicluster ambient mesh link

1. Follow the multicluster ambient mesh setup guide in the Solo Enterprise for Istio documentation to install ambient in two clusters, ${REMOTE_CLUSTER1} and ${REMOTE_CLUSTER2}. The steps include setting up a shared root of trust, installing ambient in each cluster, and linking both clusters to create your multicluster ambient mesh. You can choose between the following installation methods:

   • Gloo Operator
   • Helm
   notifications

   This guide assumes that the gateway control plane is installed in ${REMOTE_CLUSTER1}.

2. Install Bookinfo in your multicluster setup and add it to the ambient mesh.

3. Expose the productpage app across both clusters with a global hostname.

4. Add the kgateway-system namespace to your ambient mesh. This label ensures that traffic from the gateway proxy to your apps are secured via mTLS.

     kubectl label ns kgateway-system istio.io/dataplane-mode=ambient --context ${REMOTE_CONTEXT1}
     

Step 3: Set up multicluster routing link

1. Before setting up routing through the ingress gateway, verify multicluster routing within the mesh.

   1. Make sure that you can route from the ratings app to the global hostname that the productpage apps are exposed on.

        kubectl -n bookinfo --context ${REMOTE_CONTEXT1} debug -i pods/$(kubectl get pod -l app=ratings \
      --context ${REMOTE_CONTEXT1} -A -o jsonpath='{.items[0].metadata.name}') \
      --image=curlimages/curl -- curl -vik http://productpage.bookinfo.mesh.internal:9080/productpage
        

   2. Scale down the productpage app in ${REMOTE_CLUSTER1}.

        kubectl scale deployment productpage-v1 -n bookinfo --context ${REMOTE_CONTEXT1} --replicas=0
        

   3. Repeat the request to the productpage app. Because the productpage app is scaled down in ${REMOTE_CLUSTER1}, traffic is forced to go to the productpage app in ${REMOTE_CLUSTER2}. Verify that you continue to see a 200 HTTP response code.

        kubectl -n bookinfo --context ${REMOTE_CONTEXT1} debug -i pods/$(kubectl get pod -l app=ratings \
      --context ${REMOTE_CONTEXT1} -A -o jsonpath='{.items[0].metadata.name}') \
      --image=curlimages/curl -- curl -vik http://productpage.bookinfo.mesh.internal:9080/productpage
        

   4. Scale up the productpage app in ${REMOTE_CLUSTER1}.

        kubectl scale deployment productpage-v1 -n bookinfo --context ${REMOTE_CONTEXT1} --replicas=1
        

2. Create an HTTPRoute to expose the global hostname for the productpage app along the /productpage prefix path on the http Gateway that you created in the get started tutorial.

     kubectl apply --context ${REMOTE_CONTEXT1} -f- <<EOF                                                
   apiVersion: gateway.networking.k8s.io/v1
   kind: HTTPRoute
   metadata:
     name: productpage
     namespace: kgateway-system
   spec:            
     parentRefs: 
       - name: http          
         namespace: kgateway-system                    
     rules:          
       - matches:
         - path:
             type: PathPrefix
             value: /productpage
         backendRefs:
           - name: productpage.bookinfo.mesh.internal 
             port: 9080
             kind: Hostname
             group: networking.istio.io
   EOF
     

3. Verify multicluster routing through the ingress gateway.

   1. Send a request through the ingress gateway along the /productpage path. Verify that you get back a 200 HTTP response code.

        curl -I http://$INGRESS_GW_ADDRESS:8080/productpage     
        

      Example output:

        HTTP/1.1 200 OK
      content-type: text/html; charset=utf-8
      content-length: 5179
      server: envoy
      x-envoy-upstream-service-time: 133
        

   2. Scale down the productpage app in ${REMOTE_CLUSTER1}.

        kubectl scale deployment productpage-v1 -n bookinfo --context ${REMOTE_CONTEXT1} --replicas=0
        

   3. Repeat the request along the /productpage path. Because the product page app is scaled down in ${REMOTE_CLUSTER1}, traffic is forced to go to the productpage app in ${REMOTE_CLUSTER2}. Verify that you continue to see a 200 HTTP response code.

        curl -I http://$INGRESS_GW_ADDRESS:8080/productpage     
        

      Example output:

        HTTP/1.1 200 OK
      content-type: text/html; charset=utf-8
      content-length: 5179
      server: envoy
      x-envoy-upstream-service-time: 133
        

   4. Scale up the productpage app in ${REMOTE_CLUSTER1}.

        kubectl scale deployment productpage-v1 -n bookinfo --context ${REMOTE_CONTEXT1} --replicas=1
        

Next link

Now that you set up Solo Enterprise for kgateway as the ingress gateway for your multicluster ambient mesh, you can further control and secure ingress traffic with Policies.