I have recently got into Istio, and trying to rap my head around the gateway concept.
so fundamentally, I get what it is: an entryway into the service-mesh.
however what I don't understand is how best to use the gateways.
I have installed istio via helm on my k8s cluster, and ran through the bookinfo tutorial.
I created the bookinfo-gateway
:
spec:
servers:
- hosts:
- '*'
port:
name: http
number: 80
protocol: HTTP
selector:
istio: ingressgateway
and can access the service via the ingress-gateway created by istio
(found via kubectl get svc -n istio-system
).
It seems the gateway I created is tied to the gateway LOADBALANCER
created by istio via the selector
.
I created a virtualservice, and pointed it to the bookinfo gateway:
spec:
hosts:
- '*'
gateways:
- bookinfo-gateway
http:
- match:
....
What I don't understand is when/why I would create another gateway. I can also create ANOTHER virtualservice, and point it to the bookinfo-gateway
as well.
So when would I create another Gateway? would it only be when I created another istio-ingress-gateway (one with a different IP)?
I am somewhat new to Istio as well. Here are a few things to keep in mind.
1) The Istio Ingress Gateway by default lets nothing into the cluster. 2) You define a gateway to let traffic in on the port(s) and protocol(s) you specify with it. The gateway does NOT aim traffic at anything. It just allows it in. 3) To aim traffic from a gateway definition to a actual Kubernetes service you use a Virtual Service (which is really a route). It is the virtual service that connects a gateway to a kubernetes service and aims traffic at it that meet a certain criterial. In particular certain labels. Or certain host that traffic is coming from.
4) The service is Kubernetes stable ip load balancer to the service which is physically deployed on one or more pods.
So to clarify. Istio Ingress Gateway is single point into cluster. Nothing is coming in until you provide a gateway. In the gateway you specify a port and protocol. Like http, 80. This allows that traffic in but it wont go anywhere.
try not to think of the gateway as another path along the traffic flow. Its more a directive to the actual gateway which is always Istio Ingress Gateway. It just says let this kind of traffic in on this port.
Now if you notice virtual service checks labels and based on labels directs to services also based on labels. So you might have more than one virtual service using same gateway to connect to different services.
So I think of it as gateways subdivide traffic from Istio Ingress Gateway by port and protocol. Again they allow certain type of traffic in but do not aim it. A virtual service (route) always routes traffic that has been defined by a gateway to one or more services based on labels.
I dont know if you can have two gateways using same port and protocol.