Ingress Gateway
In this scenario, you'll use a Gateway to allow external traffic to your bookinfo application.
Before you get started, make sure you:
✓ Familiarize yourself with TSB concepts
✓ Install the TSB demo environment
✓ Deploy the Istio Bookinfo sample app
✓ Create a Tenant
✓ Create a Workspace
✓ Create Config Groups
✓ Configure Permissions
Create Ingress Gateway object
First, you'll create an Ingress Gateway with the yaml below and apply it. This will create an Ingress Gateway for your cluster, with a public IP that you can access.
Create the following ingress.yaml
apiVersion: install.tetrate.io/v1alpha1
kind: IngressGateway
metadata:
name: tsb-gateway-bookinfo
namespace: bookinfo
spec:
kubeSpec:
service:
type: LoadBalancer
- Standard
- OpenShift
Apply with kubectl
kubectl apply -f ingress.yaml
Then, get the Gateway IP (or hostname in case of AWS). The following command will set the environment
variable GATEWAY_IP
in your current shell. You will use this environment
variable in the next scenarios.
export GATEWAY_IP=$(kubectl -n bookinfo get service tsb-gateway-bookinfo -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}")
Apply with oc
command
oc apply -f ingress.yaml
Then, get the Gateway IP (or hostname in case of AWS). The following command will set the environment
variable GATEWAY_IP
in your current shell. You will use this environment
variable in the next scenarios.
export GATEWAY_IP=$(oc -n bookinfo get service tsb-gateway-bookinfo -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}")
To confirm that you have a valid Ingress Gateway IP, you can use the following command to display the IP address (or hostname in case of AWS).
echo $GATEWAY_IP
When using LoadBalancer, Istio uses the external IP of the Service to know where to send the traffic. But when using NodePort in Istio, the label traffic.istio.io/nodeSelector is needed to let Istio know which are the nodes where a Service is running
Certificate for Gateway
Now, setup a TLS certificate for your Gateway. If you have a TLS certificate ready for your domain, you can use it directly or use the following script to create a self-signed certificate.
In the remainder of the example we will assume bookinfo.tetrate.com
with
self-signed certificate, and you can follow along using this exact name.
Save the following script as gen-cert.sh
#!/bin/bash
# Script to create self signed certificate
# Usage ./gen-cert.sh bookinfo bookinfo.tetrate.com .
APP=${1:?application id is required}
DNS=${2:?DNS name for certificate}
DIR=${3:?certificate output directory is required}
mkdir -p ${DIR}
# Create openssl config file
cat <<EOF | envsubst > ${DIR}/${APP}.cnf
[req]
default_bits = 2048
prompt = no
distinguished_name = req_distinguished_name
req_extensions = san_reqext
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = CA
organizationName = Tetrateio
[ san_reqext ]
subjectAltName = @alt_names
[alt_names]
DNS.0 = ${DNS}
EOF
openssl req \
-x509 \
-sha256 \
-nodes \
-days 365 \
-newkey rsa:4096 \
-subj "/C=US/ST=CA/O=Tetrateio/CN=${DNS}" \
-keyout ${DIR}/${APP}-ca.key \
-out ${DIR}/${APP}-ca.crt
# generate certificate
openssl req \
-out ${DIR}/${APP}.csr \
-newkey rsa:2048 -nodes \
-keyout ${DIR}/${APP}.key \
-config ${DIR}/${APP}.cnf
# sign certificate with CA
openssl x509 \
-req \
-days 365 \
-CA ${DIR}/${APP}-ca.crt \
-CAkey ${DIR}/${APP}-ca.key \
-set_serial 0 \
-in ${DIR}/${APP}.csr \
-out ${DIR}/${APP}.crt \
-extfile ${DIR}/${APP}.cnf \
-extensions san_reqext
Make the script executable and run it
chmod +x gen-cert.sh
./gen-cert.sh bookinfo bookinfo.tetrate.com .
Create Kubernetes secrets to hold the certificates. Make sure to set the correct path to the key and crt file.
- Standard
- OpenShift
kubectl -n bookinfo create secret tls bookinfo-certs \
--key bookinfo.key \
--cert bookinfo.crt
oc -n bookinfo create secret tls bookinfo-certs \
--key bookinfo.key \
--cert bookinfo.crt
Now you can configure your ingress gateway to route TLS encrypted requests to your bookinfo application in TSB!
Configure with UI
From the Workspaces list, click on Gateway Groups.
Select the bookinfo-gw
Gateway Group that you created earlier.
Navigate to the Gateway Settings on the top tab to display the config view of the gateway. Here, you can click the name of configuration item to display its possible configuration fields. If that item has child, you may expand it by clicking the arrow on its left, to display its configurable child.
To configure the gateway, follow the steps below. You have to perform these steps in the correct sequence before clicking Save Changes
at the end
to avoid validation errors.
- Click Add new.... This will create a new Ingress Gateway with default
name
default-ingressgateway
. - Click default-ingressgateway to open the naming form, and rename it
bookinfo-gw-ingress
- Expand bookinfo-gw-ingress to display the children of this node
- Click on Workload Selector under the
bookinfo-gw-ingress
- Set the namespace to:
bookinfo
- Add a label:
app
with the valuetsb-gateway-bookinfo
- Set the namespace to:
- Expand HTTP Servers
- Click Add new HTTP Server...
- This will create a new Server with default name
Hostname0
. Click onHostname0
. - Set name to
bookinfo
- Set port
8443
- Set hostname to
bookinfo.tetrate.com
- This will create a new Server with default name
- Expand Hostname0 to display its child.
- Click on Server TLS Settings
- Set TLS mode to SIMPLE
- Set secret name to
bookinfo-certs
. This is Kubernetes secret name you have created in the previous step.
- Expand Routing Settings
- Click on HTTP Rules
- Click Add new HTTP Rule...
- This will create a new Rule with default name
HTTP Rule 1
- Click on
HTTP Rule 1
- Choose
Route
as Routing option
- This will create a new Rule with default name
- Expand HTTP Rule 1
- Click on Route under HTTP Rule 1 in the tree menu
- Enter service host, using the syntax
<namespace>/<fqdn>
wherefqdn
must be the fully qualified name of the destination service in a cluster. Set host tobookinfo/productpage.bookinfo.svc.cluster.local
, Port9080
- Save Changes
Configure with tctl
Create the following gateway.yaml
apiVersion: gateway.tsb.tetrate.io/v2
kind: IngressGateway
Metadata:
organization: tetrate
name: bookinfo-gw-ingress
group: bookinfo-gw
workspace: bookinfo-ws
tenant: tetrate
spec:
workloadSelector:
namespace: bookinfo
labels:
app: tsb-gateway-bookinfo
http:
- name: bookinfo
port: 8443
hostname: 'bookinfo.tetrate.com'
tls:
mode: SIMPLE
secretName: bookinfo-certs
routing:
rules:
- route:
host: 'bookinfo/productpage.bookinfo.svc.cluster.local'
Apply with tctl
tctl apply -f gateway.yaml
Test ingress traffic
To test if your ingress is working as expected, you can execute the following
curl
command
In a previous step we showed you how to export the Ingress Gateway IP for your
deployment. If you did not export the variable, or you are using a different
console, you can also replace $GATEWAY_IP
in the command below with the actual
Ingress Gateway IP.
curl -k -s --connect-to bookinfo.tetrate.com:443:$GATEWAY_IP \
"https://bookinfo.tetrate.com/productpage" | \
grep -o "<title>.*</title>"
Bookinfo UI
To view the bookinfo UI, you need to update your /etc/hosts
file to make
bookinfo.tetrate.com
resolve to your Ingress Gateway IP.
You can adjust manually or run the command below
echo "$GATEWAY_IP bookinfo.tetrate.com" | sudo tee -a /etc/hosts
Now, point your browser to https://bookinfo.tetrate.com/productpage
.
Because you have setup a self-signed certificate, when you access bookinfo.tetrate.com
your browser will display an error or a warning.
Most browsers will have an option to bypass this (usually through an "Advanced" menu or similar). Use the bypass if available, or please refer to you specific browser and OS documentation for details on how to suppress the error