Service Mesh (ASM) allows you to use Ingress resources in a managed cluster and specify an ASM gateway as the Ingress controller. This topic describes how to configure Ingress resources in a Container Service for Kubernetes (ACK) cluster and use an ASM gateway as the Ingress controller to expose services in the cluster.
Prerequisites
- An ACK cluster is added to an ASM instance of v1.16 or later. For more information, see Add a cluster to an ASM instance.
- An ingress gateway is deployed and ports 80 and 443 are exposed. For more information, see Create an ingress gateway service.
- The httpbin application is deployed. (However, it does not need to be exposed on the gateway.) For more information, see Deploy the httpbin application.
Limits
- If you use an ASM gateway as the Ingress controller, you cannot configure the defaultBackend field in the Ingress. For more information, see Ingress.
- Only Ingress APIs of V1 are supported. Before you use an ASM gateway as an Ingress controller, make sure that the version of Ingress APIs on the data plane is V1.
Features
An Ingress is a standard API object of Kubernetes. It is used to manage external access to Kubernetes services. You can configure routing rules in the Ingress to expose HTTP or HTTPS services in the cluster to the outside of the cluster.
ASM allows you to use Ingress resources in a managed cluster and specify an ASM gateway as the Ingress controller. An ASM gateway supports advanced features such as autoscaling, Transport Layer Security (TLS) acceleration, and graceful shutdown of the Server Load Balancer (SLB) instance on the gateway. When an ASM gateway serves as an Ingress controller, you can use multiple observability and security features provided by Service Mesh. An ASM gateway also supports the dynamic loading of certificates. Private keys, server certificates, and root certificates required by TLS can be dynamically configured when the gateway is not restarted.
Step 1: Enable Ingress on the ASM gateway
- Log on to the ASM console. In the left-side navigation pane, choose .
- On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose .
- In the Advanced features section, click Enable Ingress API access. In the Submit message that appears, click OK.
Step 2: Create an Ingress and specify the ASM gateway as the Ingress controller
An Ingress does not support the configuration of listening ports for a gateway. By default, port 80 is used for HTTP and port 443 is used for HTTPS. Therefore, you must enable ports 80 and 443 for listening on the ASM gateway.
Use annotations to specify the Ingress controller
- Create a file named ingress.yaml and copy the following content to the file:
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: kubernetes.io/ingress.class: istio name: ingress spec: rules: - host: httpbin.aliyun.com http: paths: - path: /status pathType: Prefix backend: service: name: httpbin port: number: 8000
- Use kubectl to connect to the ACK cluster and run the following command to specify the ASM gateway as the Ingress controller:
kubectl apply -f ingress.yaml
Use an IngressClass resource to specify the Ingress controller
- Create a file named ingress.yaml and copy the following content to the file:
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress spec: ingressClassName: istio rules: - host: httpbin.aliyun.com http: paths: - path: / pathType: Prefix backend: service: name: httpbin port: number: 8000
- Use kubectl to connect to the ACK cluster and run the following command to specify the ASM gateway as the Ingress controller:
kubectl apply -f ingress.yaml
Step 3: Use HTTP to access the httpbin service
curl -H 'host: httpbin.aliyun.com' http://${IP address of the ASM gateway}/status/418
-=[ teapot ]=-
_...._
.' _ _ `.
| ."` ^ `". _,
\_;`"---"`|//
| ;/
\_ _/
The output indicates that the Ingress is used to successfully expose the httpbin application on the ASM gateway. Step 4: Configure TLS and use HTTPS to access the httpbin service
ASM allows you to configure TLS for an Ingress. The ASM gateway runs in the istio-system namespace. Therefore, the Secret referenced in the Ingress must also reside in the istio-system namespace.
As an Ingress controller, the ASM gateway can dynamically load certificates. Private keys, server certificates, and root certificates required by TLS can be dynamically configured when the gateway is not restarted. The ASM gateway also allows you to mount multiple Secrets to load different certificates. The whole configuration process does not require the gateway pod to be restarted.
The following example describes how to load a certificate. If multiple certificates are required, perform Step2 and Step3 to create a Secret and complete automatic certificate loading.
- Prepare a server certificate and a private key. A domain name is accessible only after it has obtained an Internet Content Provider (ICP) filing. In this example, a certificate and a private key are generated for the aliyun.com domain name and saved as the Secret.
- Scenario 1: No certificate and private key available for aliyun.com
Run the following openssl commands to create certificates and private keys.
- Run the following command to create a root certificate and a private key:
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=myexample Inc./CN=aliyun.com' -keyout aliyun.root.key -out aliyun.root.crt
- Run the following commands to generate a certificate and a private key for the server of aliyun.com:
openssl req -out aliyun.com.csr -newkey rsa:2048 -nodes -keyout aliyun.com.key -subj "/CN=aliyun.com/O=myexample organization" openssl x509 -req -days 365 -CA aliyun.root.crt -CAkey aliyun.root.key -set_serial 0 -in aliyun.com.csr -out aliyun.com.crt
- Use kubectl to connect to the cluster to which the ingress gateway pod belongs based on the information in the KubeConfig file, and run the following command to create a Secret that contains the server certificate and private key in the istio-system namespace:
kubectl create -n istio-system secret tls myexample-credential --key=aliyun.com.key --cert=aliyun.com.crt
- Run the following command to create a root certificate and a private key:
- Scenario 2: A certificate and a private key available for aliyun.com
- Name the certificate aliyun.com.crt and the private key aliyun.com.key.
- Use kubectl to connect to the cluster to which the ingress gateway pod belongs based on the information in the KubeConfig file, and run the following command to create a Secret that contains the server certificate and private key in the istio-system namespace:
kubectl create -n istio-system secret tls myexample-credential --key=aliyun.com.key --cert=aliyun.com.crt
- Scenario 1: No certificate and private key available for aliyun.com
- Create an Ingress and set the Secret referenced by TLS to the myexample-credential Secret created in Step1.
- Run the following command to access the httpbin service over HTTPS:
curl -H Host:httpbin.aliyun.com --resolve httpbin.aliyun.com:443:${IP address of the ASM gateway} https://httpbin.aliyun.com:443/status/418 -k
Expected output:
The output indicates that the Ingress is used to successfully expose the httpbin application on the ASM gateway.-=[ teapot ]=- _...._ .' _ _ `. | ."` ^ `". _, \_;`"---"`|// | ;/ \_ _/