Posted in Software Engineering

Istio Ingress and DNS

Istio ingress provides external access to your mesh. You can follow official documentation to find you $INGRESS_HOST:$INGRESS_PORT combination. It works perfect, but what if the service client knows nothing about the mesh implementation? All he needs is to use a unique hostname to reach a specific service.

For example, you have myapp service running in myns namespace. The goal is to expose this service outside the K8s cluster with its unique DNS name from your domain. Let’s assume that you are the owner of mycompany.com domain. In this case, the exposed myapp service URL would be:

https://myapp-myns.istio-gw.mycompany.com

Let’s follow the steps on how we can achieve this in AWS cloud by configuring:

  • Istio Gateway
  • AWS ELB/NLB
  • AWS Route 53
  • Istio VirtualService

1. Issue Certificates for Istio Ingress

You can follow this guide to issue certificates or ask your security team to provide you ones.

We’re looking for a ‘*’ wildcard certificate in your domain to match all the service endpoints

In this demo, we’ll use *.istio-gw.mycompany.com certificate and the guide above:

./generate.sh *.istio-gw.mycompany.com <password>

2. Import certificate to Istio ingress trust store

We’ll continue with TLS but you can also use mTLS instead

$ kubectl create -n istio-system secret tls istio-ingressgateway-certs --key *.istio-gw.mycompany.com/3_application/private/\*.istio-gw.mycompany.com --cert *.istio-gw.mycompany.com/3_application/certs/\*.istio-gw.mycompany.com

3. Configure Istio Gateway Object

Create a Gateway object that expects connections to *.istio-gateway.aeg.cloud hosts

cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: my-istio-gateway
  namespace: istio-system
spec:
  selector:
    istio: ingressgateway # use istio default ingress gateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
    hosts:
    - "*.istio-gateway.aeg.cloud"
EOF

4. Create AWS ELB with TCP listener or NLB

Create the AWS Load Balancer and configure the listener 443 port. Use K8s minions as target hosts and 31390 port (default Istio ingress TLS port)

5. Configure Route 53 with ELB/NLB record

Navigate to Route 53 page in AWS

NOTE: mycompany.com hosted zone must be added to AWS

Choose mycompany.com hosted zone and create a Record Set

Configure the Record Set with wildcard name and add ELB/NLB DNS name from step 4. to Alias Target

6. Configure Istio VirtualService Object for Myapp

In this step, we’ll configure the mapping between the external resolvable DNS name

cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: myapp
  namespace: myns
spec:
  hosts:
  - "myapp-myns.istio-gw.mycompany.com"
  gateways:
  - my-istio-gateway.istio-system.svc.cluster.local
  http:
  - route:
    - destination:
        port:
          number: 8443
        host: myapp.myns.svc.cluster.local
EOF

This VirtualService will listen for https://myapp-myns.istio-gw.mycompany.com:443 requests and convert them to https://myapp.myns.svc.cluster.local:8443 internal cluster calls

Testing

Use REST client test tool for testing

curl https://myapp-myns.istio-gw.mycompany.com:443/service/hello -o /dev/null -s -w '%{http_code}\n'
200

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s