Skip to main content
logoTetrate Service BridgeVersion: next

Ingress Gateway

In this scenario, you'll use a Gateway to allow external traffic to your bookinfo application.

Before you get started, make sure you:
✓ Familiarize yourself with TSB concepts
✓ Install the TSB demo environment
✓ Deploy the Istio Bookinfo sample app
✓ Create a Tenant
✓ Create a Workspace
✓ Create Config Groups
✓ Configure Permissions

Create Ingress Gateway object

First, you'll create an Ingress Gateway with the yaml below and apply it. This will create an Ingress Gateway for your cluster, with a public IP that you can access.

Create the following ingress.yaml

kind: IngressGateway
name: tsb-gateway-bookinfo
namespace: bookinfo
type: LoadBalancer

Apply with kubectl

kubectl apply -f ingress.yaml

Then, get the Gateway IP (or hostname in case of AWS). The following command will set the environment variable GATEWAY_IP in your current shell. You will use this environment variable in the next scenarios.

export GATEWAY_IP=$(kubectl -n bookinfo get service tsb-gateway-bookinfo -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}")

To confirm that you have a valid Ingress Gateway IP, you can use the following command to display the IP address (or hostname in case of AWS).


When using LoadBalancer, Istio uses the external IP of the Service to know where to send the traffic. But when using NodePort in Istio, the label is needed to let Istio know which are the nodes where a Service is running

Certificate for Gateway

Now, setup a TLS certificate for your Gateway. If you have a TLS certificate ready for your domain, you can use it directly or use the following script to create a self-signed certificate.

In the remainder of the example we will assume with self-signed certificate, and you can follow along using this exact name.

Save the following script as

# Script to create self signed certificate
# Usage ./ bookinfo .

APP=${1:?application id is required}
DNS=${2:?DNS name for certificate}
DIR=${3:?certificate output directory is required}

mkdir -p ${DIR}

# Create openssl config file
cat <<EOF | envsubst > ${DIR}/${APP}.cnf
default_bits = 2048
prompt = no
distinguished_name = req_distinguished_name
req_extensions = san_reqext

[ req_distinguished_name ]
countryName = US
stateOrProvinceName = CA
organizationName = Tetrateio

[ san_reqext ]
subjectAltName = @alt_names

DNS.0 = ${DNS}

openssl req \
-x509 \
-sha256 \
-nodes \
-days 365 \
-newkey rsa:4096 \
-subj "/C=US/ST=CA/O=Tetrateio/CN=${DNS}" \
-keyout ${DIR}/${APP}-ca.key \
-out ${DIR}/${APP}-ca.crt

# generate certificate
openssl req \
-out ${DIR}/${APP}.csr \
-newkey rsa:2048 -nodes \
-keyout ${DIR}/${APP}.key \
-config ${DIR}/${APP}.cnf

# sign certificate with CA
openssl x509 \
-req \
-days 365 \
-CA ${DIR}/${APP}-ca.crt \
-CAkey ${DIR}/${APP}-ca.key \
-set_serial 0 \
-in ${DIR}/${APP}.csr \
-out ${DIR}/${APP}.crt \
-extfile ${DIR}/${APP}.cnf \
-extensions san_reqext

Make the script executable and run it

chmod +x
./ bookinfo .

Create Kubernetes secrets to hold the certificates. Make sure to set the correct path to the key and crt file.

kubectl -n bookinfo create secret tls bookinfo-certs \
--key bookinfo.key \
--cert bookinfo.crt

Now you can configure your ingress gateway to route TLS encrypted requests to your bookinfo application in TSB!

Configure with UI

From the Workspaces list, click on Gateway Groups.

Select the bookinfo-gw Gateway Group that you created earlier.

Navigate to the Gateway Settings on the top tab to display the config view of the gateway and Unified Gateways would be selected as default.

Unified Gateway

From TSB 1.7.0 onwards, we have merged both Tier1Gateway and IngressGateway capabilities under a common resource Gateway

Here, you can click the name of configuration item to display its possible configuration fields. If that item has child, you may expand it by clicking the arrow on its left, to display its configurable child.

To configure the gateway, follow the steps below. You have to perform these steps in the correct sequence before clicking Save Changes at the end to avoid validation errors.

  1. Click Add new.... This will create a new Gateway with default name default-unifiedgateway.
  2. Click default-unifiedgateway to open the naming form, and rename it bookinfo-gw-ingress
  3. Expand bookinfo-gw-ingress to display the children of this node
  4. Click on Workload Selector under the bookinfo-gw-ingress
    • Set the namespace to: bookinfo
    • Add a label: app with the value tsb-gateway-bookinfo
  5. Expand HTTP Servers
  6. Click Add new HTTP Server...
    • This will create a new Server with default name Hostname0. Click on Hostname0.
    • Set name to bookinfo
    • Set port 8443
    • Set hostname to
  7. Expand Hostname0 to display its child.
  8. Click on Server TLS Settings
    • Set TLS mode to SIMPLE
    • Set secret name to bookinfo-certs. This is Kubernetes secret name you have created in the previous step.
  9. Expand Routing Settings
  10. Click on Route Rules
  11. Click Add new Route Rule...
    • This will create a new Rule with default name Route Rule 1
    • Click on Route Rule 1
    • Choose Route as Routing option
  12. Expand Route Rule 1
  13. Click on Route to under Route Rule 1 in the tree menu
    • Choose Service Destination as the option
  14. Expand Route to
  15. Click on Service Destination
  16. Enter service host, using the syntax <namespace>/<fqdn> where fqdn must be the fully qualified name of the destination service in a cluster. Set host to bookinfo/productpage.bookinfo.svc.cluster.local, Port 9080
  17. Save Changes

Use IngressGateways Tab from settings to use Legacy IngressGateway configuration

Configure with tctl

Create the following gateway.yaml

kind: Gateway
organization: tetrate
name: bookinfo-gw-ingress
group: bookinfo-gw
workspace: bookinfo-ws
tenant: tetrate
namespace: bookinfo
app: tsb-gateway-bookinfo
- name: bookinfo
port: 8443
hostname: ''
mode: SIMPLE
secretName: bookinfo-certs
- route:
host: 'bookinfo/productpage.bookinfo.svc.cluster.local'

Apply with tctl

tctl apply -f gateway.yaml

Test ingress traffic

To test if your ingress is working as expected, you can execute the following curl command


In a previous step we showed you how to export the Ingress Gateway IP for your deployment. If you did not export the variable, or you are using a different console, you can also replace $GATEWAY_IP in the command below with the actual Ingress Gateway IP.

curl -k -s --connect-to$GATEWAY_IP \
"" | \
grep -o "<title>.*</title>"

Bookinfo UI

To view the bookinfo UI, you need to update your /etc/hosts file to make resolve to your Ingress Gateway IP.

You can adjust manually or run the command below

echo "$GATEWAY_IP" | sudo tee -a /etc/hosts

Now, point your browser to

Accessing the demo app

Because you have setup a self-signed certificate, when you access your browser will display an error or a warning.

Most browsers will have an option to bypass this (usually through an "Advanced" menu or similar). Use the bypass if available, or please refer to you specific browser and OS documentation for details on how to suppress the error