Data Plane

A minimal resource should have an empty spec.

apiVersion: install.tetrate.io/v1alpha1
kind: Gateway
metadata:
  name: bookinfo
  namespace: bookinfo
spec: \{\}

To configure infrastructure specific settings such as the service type, set the relevant field in kubeSpec. Remember that the installation API is an override API so if these fields are unset the operator will use sensible defaults. Only a subset of Kubernetes configuration is available.

When utilizing the service type 'NodePort', you must include the 'traffic.istio.io/nodeSelector' annotation. This annotation specifies which nodes the gateway should be scheduled on.

apiVersion: install.tetrate.io/v1alpha1
kind: Gateway
metadata:
  name: bookinfo
  namespace: bookinfo
spec:
  type: UNIFIED
  kubeSpec:
    service:
      type: NodePort
      annotations:
        traffic.istio.io/nodeSelector: '\{"beta.kubernetes.io/os": "linux"\}'

To customize the gateway workload automatically based on the use case the type field in the GatewaySpec can be configured appropriately. A Gateway deployed using the Gateway API can be configured specifically for egress by configuring the type to EGRESS.

apiVersion: install.tetrate.io/v1alpha1
kind: Gateway
metadata:
  name: bookinfo
  namespace: bookinfo
spec:
  type: EGRESS

IngressGateway, EgressGateway and Tier1Gateway are configured in the same manner but they don't support the type field and configure the gateway workload depending on the kind of configuration created. IngressGateway configuration for above example configurations:

Note: IngressGateway, EgressGateway and Tier1Gateway are considered legacy configuration APIs and will be deprecated in the future release. Users are advised to move to the new Gateway install API.

apiVersion: install.tetrate.io/v1alpha1
kind: IngressGateway
metadata:
  name: bookinfo
  namespace: bookinfo
spec:
  kubeSpec:
    service:
      type: NodePort
      annotations:
        traffic.istio.io/nodeSelector: '\{"beta.kubernetes.io/os": "linux"\}'

The TSB management plane can also digest Gateway install resources centrally and deploy them in the targeted clusters. This enables lifecycle management of unified gateways through TSB UI, tctl, and TSB GitOps. For this to work, two new fields are added to the GatewaySpec: targetNamespace and targetCluster. For the rest the typical TSB hierarchy details are needed. Below is an example of a Gateway install resource to be used with TSB GitOps.

Note: Each Gateway install resource can only target a single cluster and namespace. Therefore multi-cluster TSB gateways will require multiple Gateway install resources, each with a unique name and one for each cluster. To enable Gateway configuration resources to select all deployments across clusters for the logical multi-cluster gateway, the app label must be set in the kubeSpec. This label will be used by the Gateway configuration resources as the workloadSelector.

apiVersion: install.tetrate.io/v1alpha1
kind: Gateway
metadata:
  name: tier1-gateway-cluster-1
  namespace: tier1
  annotations:
    tsb.tetrate.io/organization: tetrate
    tsb.tetrate.io/tenant: tier1
    tsb.tetrate.io/workspace: tier1-workspace
    tsb.tetrate.io/gatewayGroup: tier1-gateway-group
spec:
 type: UNIFIED
 targetCluster: cluster-1
 targetNamespace: tier1
 kubeSpec:
   deployment:
     labels:
       app: tier1-gateway
   service:
     type: LoadBalancer

EgressGatewaySpec

EgressGatewaySpec defines the desired installed state of a single egress gateway for a given namespace in Service Bridge. Specifying a minimal EgressGatewaySpec with a hub will create a default gateway with sensible values.

Field	Description	Validation Rule
connectionDrainDuration	google.protobuf.Duration The amount of time the gateway will wait on shutdown for connections to complete before terminating the gateway. During this drain period, no new connections can be created but existing ones are allowed complete.	–
kubeSpec	tetrateio.api.install.kubernetes.KubernetesComponentSpec Configure Kubernetes specific settings.	–
revision	string Specifies the istio revision to reconcile with. If specified, TSB control plane operator will reconcile this gateway only if operator's revision matches with it. TSB data plane operator, which would be running only when TSB control plane operator is not configured a revision, will ignore revision field and will reconcile gateway as usual. Internally, this revision will guide to pick matching istio control plane for the gateway deployment https://istio.io/latest/docs/setup/upgrade/canary/	–
concurrency	int32 Number of Envoy worker threads to run. By default it will be set automatically based on the gateway's CPU resource limits. Set to -1 to use the legacy behavior of all cores on the machine.	–

GatewaySpec

GatewaySpec defines the desired installed state of a single gateway for a given namespace in Service Bridge. Specifying a minimal GatewaySpec with a hub will create a default gateway with sensible values.

Field	Description	Validation Rule
connectionDrainDuration	google.protobuf.Duration The amount of time the gateway will wait on shutdown for connections to complete before terminating the gateway. During this drain period, no new connections can be created but existing ones are allowed complete.	–
revision	string Specifies the istio revision to reconcile with. If specified, TSB control plane operator will reconcile this gateway only if operator's revision matches with it. TSB data plane operator, which would be running only when TSB control plane operator is not configured a revision, will ignore revision field and will reconcile gateway as usual. Internally, this revision will guide to pick matching istio control plane for the gateway deployment https://istio.io/latest/docs/setup/upgrade/canary/	–
type	tetrateio.api.install.dataplane.v1alpha1.GatewaySpec.Type Type defines the type of gateway deployment created as part of this gateway install object. Possible values are UNIFIED, INGRESS, EGRESS and EASTWEST.	enum = {   defined_only: true }
concurrency	int32 Number of Envoy worker threads to run. By default it will be set automatically based on the gateway's CPU resource limits. Set to -1 to use the legacy behavior of all cores on the machine.	–
targetNamespace	string Namespace where the gateway will be deployed. Required when using TSB MP and TSB GitOps to deploy the gateway. Ignored when using as a pure kubernetes resource.	–
targetCluster	string Cluster where the gateway will be deployed. Required when using TSB MP and TSB GitOps to deploy the gateway. Ignored when using as a pure kubernetes resource.	–
kubeSpec	tetrateio.api.install.kubernetes.KubernetesComponentSpec Configure Kubernetes specific settings.	–

IngressGatewaySpec

IngressGatewaySpec defines the desired installed state of a single ingress gateway for a given namespace in Service Bridge. Specifying a minimal IngressGatewaySpec with a hub will create a default gateway with sensible values.

Field	Description	Validation Rule
connectionDrainDuration	google.protobuf.Duration The amount of time the gateway will wait on shutdown for connections to complete before terminating the gateway. During this drain period, no new connections can be created but existing ones are allowed complete.	–
kubeSpec	tetrateio.api.install.kubernetes.KubernetesComponentSpec Configure Kubernetes specific settings.	–
revision	string Specifies the istio revision to reconcile with. If specified, TSB control plane operator will reconcile this gateway only if operator's revision matches with it. TSB data plane operator, which would be running only when TSB control plane operator is not configured a revision, will ignore revision field and will reconcile gateway as usual. Internally, this revision will guide to pick matching istio control plane for the gateway deployment https://istio.io/latest/docs/setup/upgrade/canary/	–
eastWestOnly	bool If set to true, the ingress gateway will be configured for east west routing only. This means that only port 15443 will be exposed.	–
concurrency	int32 Number of Envoy worker threads to run. By default it will be set automatically based on the gateway's CPU resource limits. Set to -1 to use the legacy behavior of all cores on the machine.	–

Tier1GatewaySpec

Tier1GatewaySpec defines the desired installed state of a single tier 1 gateway for a given namespace in Service Bridge. Specifying a minimal Tier1GatewaySpec with a hub will create a default gateway with sensible values.

Field	Description	Validation Rule
connectionDrainDuration	google.protobuf.Duration The amount of time the gateway will wait on shutdown for connections to complete before terminating the gateway. During this drain period, no new connections can be created but existing ones are allowed complete.	–
kubeSpec	tetrateio.api.install.kubernetes.KubernetesComponentSpec Configure Kubernetes specific settings.	–
revision	string Specifies the istio revision to reconcile with. If specified, TSB control plane operator will reconcile this gateway only if operator's revision matches with it. TSB data plane operator, which would be running only when TSB control plane operator is not configured a revision, will ignore revision field and will reconcile gateway as usual. Internally, this revision will guide to pick matching istio control plane for the gateway deployment https://istio.io/latest/docs/setup/upgrade/canary/	–
concurrency	int32 Number of Envoy worker threads to run. By default it will be set automatically based on the gateway's CPU resource limits. Set to -1 to use the legacy behavior of all cores on the machine.	–

Type

Type defines the different type of use cases and functionalities supported by gateway install. Each type configures the gateway workloads specific to a particular use case represented by the type. If not set, UNIFIED is set as default.

Field	Number	Description
UNIFIED	0	UNIFIED represents the gateway type supporting all functionalities: INGRESS, EGRESS, and EASTWEST. Gateway workloads are configured with default ports 80 (HTTP), 443 (HTTPS), and 15443 (ISTIO_mTLS). The gateway is configured with a LoadBalancer type service by default.
INGRESS	1	INGRESS represents the gateway type configured for Ingress use cases. Gateway workloads are configured with default ports 80 (HTTP), 443 (HTTPS), and 15443 (ISTIO_mTLS). The gateway is configured with a LoadBalancer type service by default.
EGRESS	2	EGRESS represents the gateway type configured for Egress use cases. Gateway workloads are configured with the default ports 80 (HTTP), 443 (HTTPS), and 15443 (ISTIO_mTLS). The gateway is configured with a ClusterIP type service by default.
EASTWEST	3	EASTWEST represents the gateway type configured for East-West use cases. Gateway workloads are configured with the default port 15443 (ISTIO_mTLS). The gateway is configured with a LoadBalancer type service by default.