How to specify custom Istio ingress gateway in Kubernetes ingress

8/3/2021

I deployed Istio using the operator and added a custom ingress gateway which is only accessible from a certain source range (our VPN).

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  namespace: istio-system
  name: ground-zero-ingressgateway
spec:
  profile: empty
  components:
    ingressGateways:
      - name: istio-ingressgateway
        enabled: true
      - name: istio-vpn-ingressgateway
        label:
          app: istio-vpn-ingressgateway
          istio: vpn-ingressgateway
        enabled: true
        k8s:
          serviceAnnotations:
            ...
          service:
            loadBalancerSourceRanges:
              - "x.x.x.x/x"

Now I want to configure Istio to expose a service outside of the service mesh cluster, using the Kubernetes Ingress resource. I use the kubernetes.io/ingress.class annotation to tell the Istio gateway controller that it should handle this Ingress.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-ingress
  annotations:
    kubernetes.io/ingress.class: istio
spec:
   ...
  • Kubernetes version (EKS): 1.19
  • Istio version: 1.10.3

Which ingress gateway controller is now used (istio-ingressgateway or istio-vpn-ingressgateway)? Is there a way to specify which one should be used?

P.S. I know that I could create a VirtualService and specify the correct gateway but we want to write a manifest that also works without Istio by specifying the correct ingress controller with an annotation.

-- ammerzon
ingress-controller
istio
kubernetes
kubernetes-ingress

1 Answer

8/18/2021

You can create an ingress class that references the ingress controller that is deployed by default in the istio-system namespace. This configuration with ingress will work, however to my current knowledge, this is only used for backwards compatibility. If you want to use istio ingress controller functionality, you should use istio gateway and virtual service instead:

Using the Istio Gateway, rather than Ingress, is recommended to make use of the full feature set that Istio offers, such as rich traffic management and security features.

If this solution is not optimal for you, you should use e.g. nginx ingress controller and you can still bind it with annotations (deprecated) or using IngressClass. To my present knowledge it is not possible to bind this ingress class with an additional ingress controller. If you need an explanation, documentation, you should create an issue on github.

Summary: The recommended option is to use the gateway with virtual service. Another possibility is to use nginx alone ingress with different classes and an ingress resource for them.

-- Mikołaj Głodziak
Source: StackOverflow