Service Mesh (ASM) allows you to use Ingress resources in a managed cluster and specify an ASM gateway as the Ingress controller. This topic describes how to configure Ingress resources in a Container Service for Kubernetes (ACK) cluster and use an ASM gateway as the Ingress controller to expose services in the cluster.

Prerequisites

Limits

  • If you use an ASM gateway as the Ingress controller, you cannot configure the defaultBackend field in the Ingress. For more information, see Ingress.
  • Only Ingress APIs of V1 are supported. Before you use an ASM gateway as an Ingress controller, make sure that the version of Ingress APIs on the data plane is V1.

Features

An Ingress is a standard API object of Kubernetes. It is used to manage external access to Kubernetes services. You can configure routing rules in the Ingress to expose HTTP or HTTPS services in the cluster to the outside of the cluster.

ASM allows you to use Ingress resources in a managed cluster and specify an ASM gateway as the Ingress controller. An ASM gateway supports advanced features such as autoscaling, Transport Layer Security (TLS) acceleration, and graceful shutdown of the Server Load Balancer (SLB) instance on the gateway. When an ASM gateway serves as an Ingress controller, you can use multiple observability and security features provided by Service Mesh. An ASM gateway also supports the dynamic loading of certificates. Private keys, server certificates, and root certificates required by TLS can be dynamically configured when the gateway is not restarted.

Step 1: Enable Ingress on the ASM gateway

  1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
  2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.
  3. In the Advanced features section, click Enable Ingress API access. In the Submit message that appears, click OK.

Step 2: Create an Ingress and specify the ASM gateway as the Ingress controller

An Ingress does not support the configuration of listening ports for a gateway. By default, port 80 is used for HTTP and port 443 is used for HTTPS. Therefore, you must enable ports 80 and 443 for listening on the ASM gateway.

Use annotations to specify the Ingress controller

  1. Create a file named ingress.yaml and copy the following content to the file:
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      annotations:
        kubernetes.io/ingress.class: istio
      name: ingress
    spec:
      rules:
      - host: httpbin.aliyun.com
        http:
          paths:
          - path: /status
            pathType: Prefix
            backend:
              service:
                name: httpbin
                port:
                  number: 8000
  2. Use kubectl to connect to the ACK cluster and run the following command to specify the ASM gateway as the Ingress controller:
    kubectl apply -f ingress.yaml

Use an IngressClass resource to specify the Ingress controller

  1. Create a file named ingress.yaml and copy the following content to the file:
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: ingress
    spec:
      ingressClassName: istio
      rules:
      - host: httpbin.aliyun.com
        http:
          paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: httpbin
                port:
                  number: 8000
  2. Use kubectl to connect to the ACK cluster and run the following command to specify the ASM gateway as the Ingress controller:
    kubectl apply -f ingress.yaml

Step 3: Use HTTP to access the httpbin service

Run the following command to access the httpbin service:
curl -H 'host: httpbin.aliyun.com'  http://${IP address of the ASM gateway}/status/418
Expected output:
    -=[ teapot ]=-

       _...._
     .'  _ _ `.
    | ."` ^ `". _,
    \_;`"---"`|//
      |       ;/
      \_     _/
The output indicates that the Ingress is used to successfully expose the httpbin application on the ASM gateway.

Step 4: Configure TLS and use HTTPS to access the httpbin service

ASM allows you to configure TLS for an Ingress. The ASM gateway runs in the istio-system namespace. Therefore, the Secret referenced in the Ingress must also reside in the istio-system namespace.

As an Ingress controller, the ASM gateway can dynamically load certificates. Private keys, server certificates, and root certificates required by TLS can be dynamically configured when the gateway is not restarted. The ASM gateway also allows you to mount multiple Secrets to load different certificates. The whole configuration process does not require the gateway pod to be restarted.

The following example describes how to load a certificate. If multiple certificates are required, perform Step2 and Step3 to create a Secret and complete automatic certificate loading.

  1. Prepare a server certificate and a private key.
    A domain name is accessible only after it has obtained an Internet Content Provider (ICP) filing. In this example, a certificate and a private key are generated for the aliyun.com domain name and saved as the Secret.
    • Scenario 1: No certificate and private key available for aliyun.com

      Run the following openssl commands to create certificates and private keys.

      1. Run the following command to create a root certificate and a private key:
        openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=myexample Inc./CN=aliyun.com' -keyout aliyun.root.key -out aliyun.root.crt
      2. Run the following commands to generate a certificate and a private key for the server of aliyun.com:
        openssl req -out aliyun.com.csr -newkey rsa:2048 -nodes -keyout aliyun.com.key -subj "/CN=aliyun.com/O=myexample organization"
        openssl x509 -req -days 365 -CA aliyun.root.crt -CAkey aliyun.root.key -set_serial 0 -in aliyun.com.csr -out aliyun.com.crt
      3. Use kubectl to connect to the cluster to which the ingress gateway pod belongs based on the information in the KubeConfig file, and run the following command to create a Secret that contains the server certificate and private key in the istio-system namespace:
        kubectl create -n istio-system secret tls myexample-credential --key=aliyun.com.key --cert=aliyun.com.crt
    • Scenario 2: A certificate and a private key available for aliyun.com
      1. Name the certificate aliyun.com.crt and the private key aliyun.com.key.
      2. Use kubectl to connect to the cluster to which the ingress gateway pod belongs based on the information in the KubeConfig file, and run the following command to create a Secret that contains the server certificate and private key in the istio-system namespace:
        kubectl create -n istio-system secret tls myexample-credential --key=aliyun.com.key --cert=aliyun.com.crt
  2. Create an Ingress and set the Secret referenced by TLS to the myexample-credential Secret created in Step1.
    1. Create a file named ingress-https.yaml and copy the following content to the file:
      apiVersion: networking.k8s.io/v1
      kind: Ingress
      metadata:
        name: ingress
        annotations:
          kubernetes.io/ingress.class: istio
      spec:
        rules:
          - host: httpbin.aliyun.com
            http:
              paths:
                - backend:
                    service:
                      name: httpbin
                      port:
                        number: 8000
                  path: /status
                  pathType: Prefix
        tls:
          - hosts:
              - httpbin.aliyun.com
            secretName: myexample-credential
      Note If you create an Ingress in the ACK console, you can select the Secret of the certificate only from the namespace where the Ingress resides. For example, if you create an Ingress in the default namespace, you can select the corresponding Secret only from the default namespace. Therefore, you need to copy the myexample-credential Secret created in Step1 to the default namespace to make sure that the Secret can be selected in the ACK console.
    2. Use kubectl to connect to the ACK cluster and run the following command to deploy the Ingress:
      kubectl apply -f ingress-https.yaml
  3. Run the following command to access the httpbin service over HTTPS:
    curl  -H Host:httpbin.aliyun.com --resolve httpbin.aliyun.com:443:${IP address of the ASM gateway} https://httpbin.aliyun.com:443/status/418 -k
    Expected output:
        -=[ teapot ]=-
    
           _...._
         .'  _ _ `.
        | ."` ^ `". _,
        \_;`"---"`|//
          |       ;/
          \_     _/
    The output indicates that the Ingress is used to successfully expose the httpbin application on the ASM gateway.