How to run multiple ingress gateway with different class names

Contributors
1

I have multiple public and private applications running in my kubernetes cluster. I want to separate out traffic for each type by running multiple istio-gateway deployments. Is there any straight methods to implement it with istio.

For both type of application I am using custom CA and importing certificates as secret manually. Do I need to anything cert manager part to achieve my use case

1 Like
2

Iā€™m trying to do the same. Did you figure this out?

3

Found this, I`ll try that later:

4

this worked for me:

helm upgrade -i istio install/kubernetes/helm/istio -f values.yaml --namespace istio-system --wait

values.yaml

> gateways:
>   enabled: true
>   istio-ingressgateway:
>     serviceAnnotations:
>       service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
>     sds:
>       enabled: true
>   istio-egressgateway:
>     enabled: false
>   chriss-ingressgateway:
>     namespace: istio-system
>     enabled: true
>     sds:
>       enabled: true
>       image: node-agent-k8s
>       resources:
>         requests:
>           cpu: 100m
>           memory: 128Mi
>         limits:
>           cpu: 2000m
>           memory: 1024Mi
>     labels:
>       app: chrissi-istio-ingressgateway
>       istio: chrissi-ingressgateway
>     replicaCount: 1
>     autoscaleMin: 1
>     autoscaleMax: 2
>         type: LoadBalancer
>         ports:
>         - port: 80
>           targetPort: 80
>           name: http2
>         - port: 443
>           name: https
>         - port: 31400
>           name: tcp
>         secretVolumes:
>         - name: ingressgateway-certs
>           secretName: istio-ingressgateway-certs
>           mountPath: /etc/istio/ingressgateway-certs
>         - name: ingressgateway-ca-certs
>           secretName: istio-ingressgateway-ca-certs
>           mountPath: /etc/istio/ingressgateway-ca-certs
>     sidecarInjectorWebhook:
>       rewriteAppHTTPProbe: true
>     tracing:
>       enabled: true
>     kiali:
>       enabled: true
>       prometheusAddr: http://prometheus-prometheus.monitoring:9090
>       dashboard:
>         jaegerURL: "http://localhost:16686"
>         grafanaURL: "http://grafana:3000"
>     prometheus:
>       enabled: false
>     pilot:
>       traceSampling: 100.0
>     global:
>       logging:
>         level: "default:info"
>         autoInject: enabled
>         # Specify which tracer to use. One of: lightstep, zipkin, datadog
>         tracer: "zipkin"
>       # controlPlaneMtls enabled. Will result in delays starting the pods while secrets are
>       # propagated, not recommended for tests.
>       controlPlaneSecurityEnabled: true
>       disablePolicyChecks: true
1 Like
5

@Christian_Wohrle, were you able to test that the new TCP traffic that is coming to the newly customized created gateway is routed to the expected service? How to differentiate TCP traffic going to different istio ingress gateways?

6

I only tried HTTP, not plain TCP. It worked with HTTP.

And in the gateway.yaml you specify with the selector which istio-gateway you want to use. In my example chrissi-ingressgateway

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: elastic-kibana-gateway
  namespace: elastic
spec:
  selector:
    istio: chrissi-ingressgateway
  ...
1 Like