Distributed Ingress Gateways
For this scenario, you will need two clusters onboarded to configure round robin - failover between them.
Prerequisites
Before you get started, make sure you:
✓ Familiarize yourself with TSB concepts
✓ Install the TSB demo environment
✓ Create a Tenant
Create workspace and gateway group
The following YAML file has two objects; a Workspace
for the application, and
a Gateway
group so that you can configure the application ingress.
apiversion: api.tsb.tetrate.io/v2
kind: Workspace
metadata:
organization: tetrate
tenant: tetrate
name: httpbin-ws
spec:
namespaceSelector:
names:
- '*/httpbin'
---
apiVersion: gateway.tsb.tetrate.io/v2
kind: Group
metadata:
organization: tetrate
tenant: tetrate
workspace: httpbin-ws
name: httpbin-gw
spec:
namespaceSelector:
names:
- '*/httpbin'
configMode: BRIDGED
Store as httpbin-mgmt.yaml
, and apply with tctl:
tctl apply -f httpbin-mgmt.yaml
Deploy httpbin
The following configurations should be applied to both clusters; to deploy your application, start by creating the namespace and enable the Istio sidecar injection.
kubectl create namespace httpbin
kubectl label namespace httpbin istio-injection=enabled
Then deploy your application.
kubectl apply -f \
https://raw.githubusercontent.com/istio/istio/master/samples/httpbin/httpbin.yaml \
-n httpbin
Configure ingress gateway
In this example, you're going to expose the application using simple TLS at the gateway. You'll need to provide it with a TLS certificate stored in a Kubernetes secret.
kubectl create secret tls -n httpbin httpbin-cert \
--cert /path/to/some/cert.pem \
--key /path/to/some/key.pem
Now you can deploy the ingress gateway.
apiVersion: install.tetrate.io/v1alpha1
kind: Gateway
metadata:
name: tsb-httpbin-gateway
namespace: httpbin
spec:
type: INGRESS
kubeSpec:
service:
type: LoadBalancer
Save as httpbin-ingress.yaml
, and apply with kubectl
:
kubectl apply -f httpbin-ingress.yaml
Applying above configurations to both clusters, will create the same environment for both of them, now we will deploy the gateway and virtual services.
The TSB data plane operator in the cluster will pick up this configuration and deploy the gateway's resources in your application namespace. All that is left to do is configure the gateway so that it routes traffic to your application.
- Gateway
- Legacy
apiVersion: gateway.tsb.tetrate.io/v2
kind: Gateway
metadata:
name: httpbin-gateway
group: httpbin-gw
workspace: httpbin-ws
tenant: tetrate
organization: tetrate
spec:
workloadSelector:
namespace: httpbin
labels:
app: tsb-httpbin-gateway
http:
- name: httpbin
port: 443
hostname: httpbin.tetrate.com
tls:
mode: SIMPLE
secretName: httpbin-cert
routing:
rules:
- route:
serviceDestination:
host: httpbin/httpbin
Tier1Gateway, IngressGateway and EgressGateway APIs have been deprecated in TSB 1.10.0, Use Gateway API instead.
apiVersion: gateway.tsb.tetrate.io/v2
kind: IngressGateway
metadata:
name: httpbin-gateway
group: httpbin-gw
workspace: httpbin-ws
tenant: tetrate
organization: tetrate
spec:
workloadSelector:
namespace: httpbin
labels:
app: tsb-httpbin-gateway
http:
- name: httpbin
port: 443
hostname: httpbin.tetrate.com
tls:
mode: SIMPLE
secretName: httpbin-cert
routing:
rules:
- route:
host: httpbin/httpbin
Save as httpbin-gw.yaml
, and apply with tctl
:
tctl apply -f httpbin-gw.yaml
Now, you can configure both ingress gateway service IP to your DNS entry and configure ROUND ROBIN between them, or just configure one IP and use the other cluster as failover.
You can test that both ingress gateway are working by running:
curl -s -o /dev/null --insecure -w "%{http_code}" \
"https://httpbin.tetrate.com" \
--resolve "httpbin.tetrate.com:443:$CLUSTER1_IP" \
-H "X-B3-Sampled: 1"
curl -s -o /dev/null --insecure -w "%{http_code}" \
"https://httpbin.tetrate.com" \
--resolve "httpbin.tetrate.com:443:$CLUSTER2_IP" \
-H "X-B3-Sampled: 1"