Kubernetes Ingress
This task describes how to configure Istio to expose a service outside of the service mesh cluster, using the Kubernetes Ingress Resource6.
Before you begin
Follow the instructions in the Before you begin and Determining the ingress IP and ports sections of the Ingress Gateways task7.
Configuring ingress using an Ingress resource
A Kubernetes Ingress Resources6 exposes HTTP and HTTPS routes from outside the cluster to services within the cluster.
Let’s see how you can configure a Ingress
on port 80 for HTTP traffic.
Create an
Ingress
resource:The
kubernetes.io/ingress.class
annotation is required to tell the Istio gateway controller that it should handle thisIngress
, otherwise it will be ignored.Access the httpbin service using curl:
Note that you use the
-H
flag to set the Host HTTP header to “httpbin.example.com”. This is needed because theIngress
is configured to handle “httpbin.example.com”, but in your test environment you have no DNS binding for that host and are simply sending your request to the ingress IP.Access any other URL that has not been explicitly exposed. You should see an HTTP 404 error:
Next Steps
TLS
Ingress
supports specifying TLS settings. This is supported by Istio, but the referenced Secret
must exist in the namespace of the istio-ingressgateway
deployment (typically istio-system
). cert-manager8 can be used to generate these certificates.
Specifying path type
By default, Istio will treat paths as exact matches, unless they end in /*
or .*
, in which case they will become prefix matches. Other regular expressions are not supported.
In Kubernetes 1.18, a new field, pathType
, was added. This allows explicitly declaring a path as Exact
or Prefix
.
Specifying IngressClass
In Kubernetes 1.18, a new resource, IngressClass
, was added, replacing the kubernetes.io/ingress.class
annotation on the Ingress
resource. If you are using this resource, you will need to set the controller
field to istio.io/ingress-controller
. For example:
Cleanup
Delete the Ingress
configuration, and shutdown the httpbin9 service: