Three stages to transition from Kubernetes Ingress resources to Istio’s ingress gateway.
Istio adds additional layers of management on top of those available in Kubernetes and allows developers to connect, secure, and manage microservices. You can learn more about the basics of Istio by reading our post, “What is Istio?”.
This tutorial will provide steps for migrating services from Kubernetes Ingress resources to Istio’s ingress gateways in an IBM Cloud Kubernetes Service environment.
- IBM Cloud Kubernetes Cluster with Istio installed—you can install manually by going to istio.io, or use the Managed Istio add-on.
Use IBM Kubernetes Service ALB and Kubernetes Ingress resources to access a service
First, we will deploy a simple application (without Istio) and expose it using the normal Kubernetes Ingress.
IBM Cloud Kubernetes Service exposes applications deployed within your cluster using Kubernetes Ingress resources. The application load balancer (ALB) accepts incoming traffic and forwards the requests to the corresponding service. Your cluster ALB is assigned a URL to expose the deployed services using the name format <cluster_name>.<region>.containers.appdomain.cloud. Retrieve your cluster’s Ingress subdomain and configure this value as an environment variable for the steps that follow:
For this tutorial, we will use a simple HTTP request and response service called httpbin. Begin by deploying a copy of this service to your space in IBM Cloud Kubernetes Service:
Next, apply a Kubernetes Ingress resource to access the httpbin service and expose the /headers API:
servicePort match those specified in the Kubernetes service definition in
samples/httpbin/httpbin.yaml. Verify that the httpbin service is now accessible using curl:
Use Kubernetes Ingress to access Istio-enabled workloads
With the Istio default configuration, you can continue using the standard Kubernetes Ingress resources to expose Istioe-nabled services (pods that have Istiosidecar). The Ingress resource configures the IBM Cloud Kubernetes Service nginx application load balancers that come with the service (in kube-system namespace).
By default (permissive mtls policy), the sidecar will allow traffic from the ALB pods. Let’s see this working by adding httpbin to the Istio service mesh and accessing it using the same Ingress from the previous section.
Label the namespace for automatic Istio sidecar injection:
With this configured, any new pods will automatically get deployed with Istio’s sidecar proxy. Since httpbin is already deployed, deleting the
httpbin pod will cause it to get redeployed with the sidecar in place:
The httpbin pod now has two containers: httpbin app and istio-proxy sidecar. Verify the new httpbin pod is running and curl the httpbin service again:
Observe the additional headers returned in the response this time around. The Envoy proxy running in the Istio sidecar captures all traffic to the httpbin service, applies any traffic management policies, and then routes the request to the httpbin service.
Note: If Istio was deployed with STRICT mTLS policy, the curl command above will fail since the Kubernetes Ingress resource does not have mTLS configured between the ALB and httpbin service. To direct encrypted traffic from IBM Cloud Kubernetes Service Ingress to Istio ingress gateway, see this blog.
Chain the IBM Cloud Kubernetes Service ALB to the Istio gateway
In this section, you will create an Ingress resource to point to the istio-ingressgateway Service and then use standard Istio Gateway and VirtualServices to route traffic from Istio Gateway to your Istio-enabled workloads.
The ALB relies on Kubernetes Ingress resources to control how traffic is routed to services deployed in your cluster. In Istio, Ingress traffic is configured via Gateways and VirtualServices. Gateways and VirtualServices provide a super set of the functionality provided by the Kubernetes Ingress resource in a more flexible format. In the same way that the routing behavior of the ALB is configured by Kubernetes Ingress resources, Istio uses Gateways and VirtualServices to configure Istio’s ingress gateway. Traffic from outside the Istio service mesh is routed by the ingress gateway:
To make the transition easier for users who may already have Kubernetes Ingress resources defined for their services, Istio provides a converter tool as part of istioctl for migrating Ingress resource definitions to corresponding VirtualServices:
The VirtualService tells Istio which service to route to based on the request host and request path from a bound Gateway rule. The Gateway is required to open a port on the Istio ingress gateway for incoming requests but this has already been created during the install process:
Edit vservice.yaml and change gateways section to point to the above gateway:
Apply the VirtualService:
Finally, the original Kubernetes Ingress resource needs to be deleted and recreated so that it points to the Istio ingress gateway rather than the httpbin service directly:
Perform the curl command once more to verify that traffic is now routed from the ALB to the Istio ingress gateway and finally the httpbin service:
Create a host name to access the Istio ingress gateway directly
IBM Cloud Kubernetes Service allows users to configure a subdomain which will resolve directly to a Kubernetes network load balancer (NLB) IP. The steps below will enable the Istio ingress gateway to accept web traffic directly instead of first going through the ALB.
First, retrieve the NLB IP for the Istio ingress gateway:
Then, create the host name for your cluster:
This will create a host name using the following format:
Update Istio with the new host name. Replace the original INGRESS_HOST defined above with the host name created above:
Apply the VirtualService rule (vservice.yaml) again so that the updated INGRESS_HOST value is picked up:
Now, you can curl the Istio ingress gateway directly using the NLB host name provided for your cluster:
With these instructions, existing services can be migrated from the default IBM Cloud Kubernetes Service ALB to using the Istio ingress gateway. After migration is complete, you can begin exploring the additional Ingress configuration options for your service mesh available with Istio Gateways and VirtualServices.