Gateway Group
Gateway Groups allow grouping the gateways in a set of namespaces
owned by its parent workspace. Gateway related configurations can
then be applied on the group to control the behavior of these
gateways. The group can be in one of two modes: BRIDGED
and
DIRECT
. BRIDGED
mode is a minimalistic mode that allows users to
quickly configure the most commonly used features in the service
mesh using Tetrate specific APIs, while the DIRECT
mode provides
more flexibility for power users by allowing them to configure the
gateways's traffic and security properties using a restricted
subset of Istio Networking and Security APIs.
The following example creates a gateway group for the gateways in
ns1
, ns2
and ns3
namespaces owned by its parent workspace
w1
under tenant mycompany
apiVersion: gateway.tsb.tetrate.io/v2
kind: Group
metadata:
name: g1
workspace: w1
tenant: mycompany
organization: myorg
spec:
namespaceSelector:
names:
- "*/ns1"
- "*/ns2"
- "*/ns3"
configMode: BRIDGED
It is possible to create a gateway group for namespaces in a specific cluster as long as the parent workspace owns those namespaces in that cluster. For example,
apiVersion: gateway.tsb.tetrate.io/v2
kind: Group
metadata:
name: g1
workspace: w1
tenant: mycompany
organization: myorg
spec:
namespaceSelector:
names:
- "c1/ns1" # pick ns1 namespace only from c1 cluster
- "*/ns2"
- "*/ns3"
configMode: BRIDGED
In the DIRECT
mode, it is possible to directly attach Istio
Networking v1beta1 APIs - VirtualService
, and Gateway
, and
Istio Security v1beta1 APIs - RequestAuthentication
, and
AuthorizationPolicy
to the gateway group. These configurations
will be validated for correctness and conflict free operations and
then pushed to the appropriate Istio control planes.
The following example declares a Gateway
and a VirtualService
for a specific workload in the ns1
namespace:
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: ingress
namespace: ns1
annotations:
tsb.tetrate.io/organization: myorg
tsb.tetrate.io/tenant: mycompany
tsb.tetrate.io/workspace: w1
tsb.tetrate.io/gatewayGroup: g1
spec:
selector:
app: my-ingress-gateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- uk.bookinfo.com
- eu.bookinfo.com
and the associated VirtualService
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: ingress-rule
namespace: ns1
annotations:
tsb.tetrate.io/organization: myorg
tsb.tetrate.io/tenant: mycompany
tsb.tetrate.io/workspace: w1
tsb.tetrate.io/gatewayGroup: g1
spec:
hosts:
- uk.bookinfo.com
- eu.bookinfo.com
gateways:
- ns1/ingress # Has to bind to the same gateway
http:
- route:
- destination:
port:
number: 7777
host: reviews.ns1.svc.cluster.local
The namespace where the Istio APIs are applied will need to be part of the parent gateway group. In addition, each API object will need to have annotations to indicate the organization, tenant, workspace and the gateway group to which it belongs to.
Group
A gateway group manages the gateways in a group of namespaces owned by the parent workspace.
Field | Description | Validation Rule |
---|---|---|
namespaceSelector | tetrateio.api.tsb.types.v2.NamespaceSelector | message = { |
configMode | tetrateio.api.tsb.types.v2.ConfigMode | – |
deletionProtectionEnabled | bool | – |
profiles | List of string | – |
configGenerationMetadata | tetrateio.api.tsb.types.v2.ConfigGenerationMetadata | – |