Hello,
I’m using Istio with in a kuberneters cluster hosted on the Google Cloud Platform. I’m using a manual installed version instead of the Google provided solution.
The cluster is reachable via the default istio-ingressgateway, that perfectly works. Now I wanted to setup a second ingressgateway for internal communictation. I need that, since some of the services that need to talkto the cluster are hosted outside of it. The default ingress-gateway is only reachable via serveral protection services (e.g. Cloudflare) and I don’t want to have the traffic for service<->service connection running through that.
The current Istio Operator version I’m using is 1.9.2. The operator is being deployed via this config with terraform:
resource "kubectl_manifest" "istio-operator" {
#language=YAML
yaml_body = <<YAML
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: istio-operator
namespace: "${kubernetes_namespace.istio-system.metadata[0].name}"
labels:
app.kubernetes.io/part-of: "service-mesh"
app.kubernetes.io/managed-by: "Terraform"
spec:
profile: default
components:
ingressGateways:
- name: istio-ingressgateway
enabled: true
- name: internal-ingressgateway
enabled: true
label:
istio: internal-ingressgateway
app: internal-istio-ingressgateway
k8s:
serviceAnnotations:
networking.gke.io/load-balancer-type: "Internal"
cloud.google.com/load-balancer-type: "internal"
values:
gateways:
istio-ingressgateway:
serviceAnnotations:
"cloud.google.com/neg": "{\"ingress\": true}"
"beta.cloud.google.com/backend-config": '{"default": "main-ingress"}'
type: NodePort
YAML
depends_on = [
helm_release.istio-operator
]
}
As you can see, I added a new ingress-gateway with the name internal-ingressgateway. The deployment via terraform also worked without any issues:
+ terraform apply -input=false --parallelism 10
module.service_mesh.kubectl_manifest.istio-operator: Modifying... [id=/apis/install.istio.io/v1alpha1/namespaces/istio-system/istiooperators/istio-operator]
module.service_mesh.kubectl_manifest.istio-operator: Modifications complete after 0s [id=/apis/install.istio.io/v1alpha1/namespaces/istio-system/istiooperators/istio-operator]
Apply complete! Resources: 0 added, 1 changed, 0 destroyed.
If I now try to add a new Gateway with this config:
resource "kubectl_manifest" "istio-internal-gateway" {
#language=YAML
yaml_body = <<YAML
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: internal-ingressgateway
namespace: "${kubernetes_namespace.istio-system.metadata[0].name}"
spec:
selector:
istio: internal-ingressgateway
servers:
- hosts:
- '*'
port:
name: http
number: 80
protocol: HTTP
YAML
depends_on = [
helm_release.istio-operator
]
}
the Ingress created is reporting the error:
Translation failed: invalid ingress spec: could not find service "istio-system/istio-internal-ingressgateway"
What am I doing wrong, why is the Istio-Operator getting updated, but the ingress-gateway not working?
Any help is glady appreciated!
Best Regards