Skip to main content
logoTetrate Service BridgeVersion: next

Tetrate support for the Gateway API

Note

Gateway API support requires TSB 1.12.1+.

As an alternative to TSB's bridged APIs to configure ingress, you can instead use the industry-standard Gateway API

TSB provides a complete set of Bridged APIs to configure your multi-cluster, multi-user mesh platform. These APIs are used to specify the desired configuration intent, and the TSB management plane maintains the configuration of the individual Istio deployments in line with the intent and the changing environment (failures, mobility, scaling, etc).

TSB Direct APIs provide one way to 'break through' the TSB configuration that is generated for your Istio clusters, allowing you to define a partition of the configuration on cluster/namespace groups where you can apply Istio configuration directly.

Additionally, with TSB 1.12.1, you can specify Gateway configuration using the Gateway API alongside the TSB-generated configuration and TSB will correctly resolve this configuration.

How are Gateways configured?

TSB uses two resources to configure gateways:

  • The Gateway Install Resource is used to deploy Istio gateway instances into Edge and Workload clusters. These Istio gateways are installed into a cluster, and their configuration is then managed by TSB. An emerging Tetrate management standard will make it easier to automate the deployment of these Gateway instances
  • The Gateway Resource is used to configure the selected Istio gateways, to expose selected endpoints through the gateway so that they can be reached from outside the cluster. The Gateway Resources are deployed to the TSB management plane, which then matches them to deployed gateways and applied configuration to the gateway.

What about the Gateway API?

You can also configure the gateways directly, using the industry-standard Gateway API. Although the Gateway API does not deliver additional functionality, you may prefer to use this API in favor of the native TSB APIs.

The documentation Using the Gateway API with Tetrate Service Bridge explains how to configure a workload cluster to accept Gateway API configuration, and gives a worked example.

Comparing Tetrate's Gateway Resource and the Gateway API

  • Point of Application:
    • Tetrate Gateway Resources are applied once, against the Management Plane. The Management Plane evaluates the GatewayGroup in the Tetrate hierarchy to determine the clusters and namespaces where the Gateway Resource should be applied, and evaluates the workloadSelector to identify the gateways. If gateways are added or removed from a GatewayGroup, the Tetrate Management Plane will automatically reconfigure the gateways.
    • Gateway API resources are applied against an individual Workload cluster. The Tetrate-provided Istio installation on that cluster will evaluate the workloadSelector to identify which gateway(s) the configuration should be applied to.
  • Safety / Risk of Collision:
    • The Tetrate Management Plane evaluates all configuration and will decline to deploy incorrect configuration that risks name, service or path collision to individual Workload clusters.
    • No such safeguard exists when applying Gateway API resources directly, so the user must take care to validate the correctness of the configuration they apply
  • Tier1 and Tier2 integration:
    • The Tetrate platform recommends a two-tier Gateway configuration: Edge (Tier1) gateways are Internet-facing and receive traffic from external sources, and then forward traffic to App (Tier2) gateways on individual Workload clusters. The platform synchronizes configuration dynamically, so that Edge gateways are always correctly configured to only forward traffic to working App gateways.
    • The Tetrate platform does not automatically discover services exposed directly using the Gateway API, so is not able to automatically maintain the Edge-to-App routing. The end user is responsible for managing the configuration of any downstream load balancers.
  • Tetrate UI / API support:
    • Tetrate Gateway Resources are known by the Management Plane and can be interrogated and edited using the Tetrate APIs and Management Plane UI.
    • Gateway API resources are not known by the Management Plane, so are not displayed or edited in the Management Plane UI or through Tetrate APIs.
  • Metrics and Observability support:
    • Metrics, Traces and Logs are gathered from the Tetrate-managed gateways, whether they were configured using Tetrate Gateway Resources or Gateway APIs. Observability data is therefore available for both use cases.

Despite the automation and ease-of-use provided for Tetrate's Gateway Resources, you may still wish to use Gateway APIs if your tooling prefers this industry-standard approach.