Ingress Gateway
In this scenario, you’ll use a Gateway to allow external traffic to your bookinfo application.
Before you get started, make sure you:
✓ Familiarize yourself with TSB concepts
✓ Install the TSB demo environment
✓ Deploy the Istio Bookinfo sample app
✓ Create a Tenant
✓ Create a Workspace
✓ Create Config Groups
Create Ingress Gateway object
First, you’ll create an Ingress Gateway with the yaml below and apply it. This will create an Ingress Gateway for your cluster, with a public IP that you can access.
Create the following ingress.yaml
apiVersion: install.tetrate.io/v1alpha1
kind: IngressGateway
metadata:
name: tsb-gateway-bookinfo
namespace: bookinfo
spec:
kubeSpec:
service:
type: LoadBalancer
Apply with kubectl
kubectl apply -f ingress.yaml
Then, get the Gateway IP. The following command will set the environment
variable GATEWAY_IP in your current shell. You will use this environment
variable in the next scenarios.
export GATEWAY_IP=$(kubectl -n bookinfo get service tsb-gateway-bookinfo -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
To confirm that you have a valid Ingress Gateway IP, you can use the following command to display the IP address.
echo $GATEWAY_IP
Certificate for Gateway
Now, setup a TLS certificate for your Gateway. If you have a TLS certificate ready for your domain, you can use it directly or use the following script to create a self-signed certificate.
In the remainder of the example we will assume bookinfo.tetrate.com with
self-signed certificate, and you can follow along using this exact name.
Save the following script as gen-cert.sh
#!/bin/bash
# Script to create self signed certificate
# Usage ./gen-cert.sh bookinfo bookinfo.tetrate.com .
APP=${1:?application id is required}
DNS=${2:?DNS name for certificate}
DIR=${3:?certificate output directory is required}
mkdir -p ${DIR}
# Create openssl config file
cat <<EOF | envsubst > ${DIR}/${APP}.cnf
[req]
default_bits = 2048
prompt = no
distinguished_name = req_distinguished_name
req_extensions = san_reqext
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = CA
organizationName = Tetrateio
[ san_reqext ]
subjectAltName = @alt_names
[alt_names]
DNS.0 = ${DNS}
EOF
openssl req \
-x509 \
-sha256 \
-nodes \
-days 365 \
-newkey rsa:4096 \
-subj "/C=US/ST=CA/O=Tetrateio/CN=${DNS}" \
-keyout ${DIR}/${APP}-ca.key \
-out ${DIR}/${APP}-ca.crt
# generate certificate
openssl req \
-out ${DIR}/${APP}.csr \
-newkey rsa:2048 -nodes \
-keyout ${DIR}/${APP}.key \
-config ${DIR}/${APP}.cnf
# sign certificate with CA
openssl x509 \
-req \
-days 365 \
-CA ${DIR}/${APP}-ca.crt \
-CAkey ${DIR}/${APP}-ca.key \
-set_serial 0 \
-in ${DIR}/${APP}.csr \
-out ${DIR}/${APP}.crt \
-extfile ${DIR}/${APP}.cnf \
-extensions san_reqext
chmod +x gen-cert.sh
./gen-cert.sh bookinfo bookinfo.tetrate.com .
Create Kubernetes secrets to hold the certificates. Make sure to set the correct path to the key and crt file.
kubectl -n bookinfo create secret tls bookinfo-certs \
--key bookinfo.key \
--cert bookinfo.crt
Now you can configure your ingress gateway to route TLS encrypted requests to your bookinfo application in TSB!
Configure with UI
From the Workspaces list, click on Gateway Groups.
Select the bookinfo-gw Gateway Group that you created earlier.
Navigate to the Gateway Settings on the top banner and follow the steps
below. You have to follow these steps before clicking Save Changes at the end
to avoid validation errors.
- Click Add new.... This will create a new Ingress Gateway with default
name
fqn0. - Click
fnq0to open the naming form, and rename itbookinfo-gw-ingress - Click on
bookinfo-gw-ingress - Click on Workload Selector under the
bookinfo-gw-ingress- Set the namespace to:
bookinfo - Add a label:
appwith the valuetsb-gateway-bookinfo
- Set the namespace to:
- Click on HTTP Servers
- Click Add new HTTP Server...
- This will create a new Server with default name
Hostname0. Click onHostname0. - Set name to
bookinfo - Set port
8443 - Set hostname to
bookinfo.tetrate.com
- This will create a new Server with default name
- Click on Server TLS Settings
- Set TLS mode to SIMPLE
- Set secret name to
bookinfo-certs. This is Kubernetes secret name you have created in the previous step.
- Click on Routing Settings
- Click on HTTP Rules
- Click Add new HTTP Rule...
- This will create a new Rule with default name
HTTP Rule 1 - Click on
HTTP Rule 1 - Choose
Routeas Routing option
- This will create a new Rule with default name
- Click on
RouteunderHTTP Rule 1in the tree menu - Enter service host, using the syntax
<namespace>/<fqdn>wherefqdnmust be the fully qualified name of the destination service in a cluster. Set host tobookinfo/productpage.bookinfo.svc.cluster.local, Port9080 - Save Changes
Configure with tctl
Create the following gateway.yaml
apiVersion: gateway.tsb.tetrate.io/v2
kind: IngressGateway
Metadata:
organization: tetrate
name: bookinfo-gw-ingress
group: bookinfo-gw
workspace: bookinfo-ws
tenant: tetrate
spec:
workloadSelector:
namespace: bookinfo
labels:
app: tsb-gateway-bookinfo
http:
- name: bookinfo
port: 8443
hostname: "bookinfo.tetrate.com"
tls:
mode: SIMPLE
secretName: bookinfo-certs
routing:
rules:
- route:
host: "bookinfo/productpage.bookinfo.svc.cluster.local"
Apply with tctl
tctl apply -f gateway.yaml
Test ingress traffic
To test if your ingress is working as expected, you can execute the following
curl command
GATEWAY IP
In a previous step we showed you how to export the Ingress Gateway IP for your
deployment. If you did not export the variable, or you are using a different
console, you can also replace $GATEWAY_IP in the command below with the actual
Ingress Gateway IP.
curl -k -v "https://bookinfo.tetrate.com/productpage" \
--resolve "bookinfo.tetrate.com:443:$GATEWAY_IP" | \
grep -o "<title>.*</title>"
Bookinfo UI
To view the bookinfo UI, you need to update your /etc/hosts file to make
bookinfo.tetrate.com resolve to your Ingress Gateway IP.
You can adjust manually or run the command below
echo "$GATEWAY_IP\tbookinfo.tetrate.com" | sudo tee -a /etc/hosts
Now, point your browser to https://bookinfo.tetrate.com/productpage