Skip to main content
Version: 1.3.x

Distributed Ingress Gateways

For this scenario, you will need two clusters onboarded to configure round robin - failover between them.

The following YAML file has two objects; a Workspace for the application, and a Gateway group so that you can configure the application ingress.

apiversion: api.tsb.tetrate.io/v2
kind: Workspace
metadata:
  organization: tetrate
  tenant: default
  name: httpbin-ws
spec:
  namespaceSelector:
    names:
      - "*/httpbin"
---
apiVersion: gateway.tsb.tetrate.io/v2
kind: Group
metadata:
  organization: tetrate
  tenant: default
  workspace: httpbin-ws
  name: httpbin-gw
spec:
  namespaceSelector:
    names:
      - "*/httpbin"
  configMode: BRIDGED

Store as httpbin-mgmt.yaml, and apply with tctl:

tctl apply -f httpbin-mgmt.yaml

The following configurations should be applied to both clusters; to deploy your application, start by creating the namespace and enable the Istio sidecar injection.

kubectl create namespace httpbin
kubectl label namespace httpbin istio-injection=enabled

Then deploy your application.

kubectl apply -f \
    https://raw.githubusercontent.com/istio/istio/master/samples/httpbin/httpbin.yaml \
    -n httpbin

In this example, you’re going to expose the application using simple TLS at the gateway. You’ll need to provide it with a TLS certificate stored in a Kubernetes secret.

kubectl create secret tls -n httpbin httpbin-cert \
    --cert /path/to/some/cert.pem \
    --key /path/to/some/key.pem

Now you can deploy the ingress gateway.

apiVersion: install.tetrate.io/v1alpha1
kind: IngressGateway
metadata:
  name: tsb-httpbin-gateway
  namespace: httpbin
spec:
  kubeSpec:
    service:
      type: LoadBalancer

Save as httpbin-ingress.yaml, and apply with kubectl:

kubectl apply -f httpbin-ingress.yaml

Applying above configurations to both clusters, will create the same environment for both of them, now we will deploy the gateway and virtual services.

The TSB data plane operator in the cluster will pick up this configuration and deploy the gateway’s resources in your application namespace. All that is left to do is configure the gateway so that it routes traffic to your application.

apiVersion: gateway.tsb.tetrate.io/v2
kind: IngressGateway
metadata:
  name: httpbin-gateway
  group: httpbin-gw
  workspace: httpbin-ws
  tenant: default
  organization: tetrate
spec:
  workloadSelector:
    namespace: httpbin
    labels:
      ingress: tsb-httpbin-gateway
  http:
  - name: httpbin
    port: 443
    hostname: httpbin.tetrate.com
    tls:
      mode: SIMPLE
      secretName: httpbin-cert
    routing:
      rules:
      - route:
        host: httpbin/httpbin

Save as httpbin-gw.yaml, and apply with tctl:

tctl apply -f httpbin-gw.yaml

Now, you can configure both ingress gateway service IP to your DNS entry and configure ROUND ROBIN between them, or just configure one IP and use the other cluster as failover.

You can test that both ingress gateway are working by running:

curl -s -o /dev/null -w "%{http_code}" \
    "https://httpbin.tetrate.com" \
    --resolve "httpbin.tetrate.com:443:$CLUSTER1_IP"
curl -s -o /dev/null -w "%{http_code}" \
    "https://httpbin.tetrate.com" \
    --resolve "httpbin.tetrate.com:443:$CLUSTER2_IP"