Skip to main content
logoTetrate Service BridgeVersion: 1.6.x

Client Side Load Balancing

The following YAML file has three objects - a Workspace for the application, a Gateway group so that you can configure the application ingress, and a Traffic group that will allow you to configure the canary release process.

apiversion: api.tsb.tetrate.io/v2
kind: Workspace
metadata:
organization: tetrate
tenant: tetrate
name: helloworld-ws
spec:
namespaceSelector:
names:
- '*/helloworld'
---
apiVersion: gateway.tsb.tetrate.io/v2
kind: Group
metadata:
organization: tetrate
tenant: tetrate
workspace: helloworld-ws
name: helloworld-gw
spec:
namespaceSelector:
names:
- '*/helloworld'
configMode: BRIDGED
---
apiVersion: traffic.tsb.tetrate.io/v2
kind: Group
metadata:
organization: tetrate
tenant: tetrate
workspace: helloworld-ws
name: helloworld-trf
spec:
namespaceSelector:
names:
- '*/helloworld'
configMode: BRIDGED

Store the file as helloworld-ws-groups.yaml, and apply with tctl:

tctl apply -f helloworld-ws-groups.yaml

To deploy your application, start by creating the namespace and enable the Istio sidecar injection.

kubectl create namespace helloworld
kubectl label namespace helloworld istio-injection=enabled

Then deploy your application.

apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-v1
namespace: helloworld
spec:
replicas: 3
selector:
matchLabels:
app: helloworld
version: v1
template:
metadata:
labels:
app: helloworld
version: v1
spec:
containers:
- name: hello
image: 'gcr.io/google-samples/hello-app:1.0'
env:
- name: 'PORT'
value: '8080'
---
apiVersion: v1
kind: Service
metadata:
name: helloworld
namespace: helloworld
spec:
selector:
app: helloworld
ports:
- protocol: TCP
port: 443
targetPort: 8080

Store as helloworld-1.yaml, and apply with kubectl:

kubectl apply -f helloworld-1.yaml

Note that you're deploying 3 replicas for this deployment.

In this example, you're going to expose the application using simple TLS at the gateway. You'll need to provide it with a TLS certificate stored in a Kubernetes secret.

kubectl create secret tls -n helloworld helloworld-cert \
--cert /path/to/some/helloworld-cert.pem \
--key /path/to/some/helloworld-key.pem

Now you can deploy your ingress gateway.

apiVersion: install.tetrate.io/v1alpha1
kind: IngressGateway
metadata:
name: tsb-helloworld-gateway
namespace: helloworld
spec:
kubeSpec:
service:
type: LoadBalancer

Save as helloworld-ingress.yaml, and apply with kubectl:

kubectl apply -f helloworld-ingress.yaml

The TSB data plane operator in the cluster will pick up this configuration and deploy the gateway's resources in your application namespace. Finally, configure the gateway so that it routes traffic to your application.

apiVersion: gateway.tsb.tetrate.io/v2
kind: IngressGateway
metadata:
name: helloworld-gateway
group: helloworld-gw
workspace: helloworld-ws
tenant: tetrate
organization: tetrate
spec:
workloadSelector:
namespace: helloworld
labels:
app: tsb-helloworld-gateway
http:
- name: helloworld
port: 443
hostname: helloworld.tetrate.com
tls:
mode: SIMPLE
secretName: helloworld-cert
routing:
rules:
- route:
host: helloworld/helloworld.helloworld.svc.cluster.local
port: 5000

Save as helloworld-gw.yaml, and apply with tctl:

tctl apply -f helloworld-gw.yaml

You can check that your application is reachable by opening your web browser and directing it to the gateway service IP or domain name (depending on your configuration).

At this point, your application will load balance using Round Robin by default. Now, configure client-side load balancing and use the source IP.

apiVersion: traffic.tsb.tetrate.io/v2
kind: ServiceRoute
metadata:
name: helloworld-client-lb
group: helloworld-trf
workspace: helloworld-ws
tenant: tetrate
organization: tetrate
spec:
service: helloworld/helloworld
subsets:
- name: v1
labels:
version: v1
stickySession:
useSourceIp: true

Save as helloworld-client-lb.yaml, and apply with tctl:

tctl apply -f helloworld-client-lb.yaml

Now, the same pod is being used as a backend for all our requests coming from the same IP.

In this example you have used the source IP, but there are other methods allowed too; using the header of an HTTP request, or configuring an HTTP cookie.