Hi All, We are using istio in EKS. While looking at the istio doc for gateway configuration, its mentioned like below
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: httpbin-gateway
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
In our case, we have an AWS load balancer created for ingress gateway, can we put any hostname here and access the gateway using AWS load balancer or do we need to update only AWS loadbalancer in the hosts so that we can access this using AWS loadbalancer.
Also the virtual service is created based on path specification, if I have two services listening to the same path, how can I access both the service using the same load balancer created for istio
@Dinesh3467
You can specify any number of hosts under the hosts section in Gateway and use the same istio-ingressgateway endpoint (aws load balancer) to access those. You should be able to do so by:
i) Using a Host header when you make a call directly against your aws loadbalancer, something like:
curl <aws_loadbalancer>/hello -H "Host: myservice1.mysubmdomain.com"
OR
ii) Create a CNAME called myservice1.mysubmdomain.com using route53 pointing to <aws_loadbalancer> endpoint
Thanks Anil for the response. If I need to use the loadbalancer from my browser, how will I pass this header. If my requirement is only to use through browser, I can have only one host and the TLS mode can only be simple?
Thats correct.
The point I was trying to make was, you can support many hostnames using the same ingressgateway. You have to make sure you mount the right certs for each host and set the TLS mode to SIMPLE for each of these to work.
Thanks Anil for the response. Our case was to expose the applications using a single load balancer created for istio ingress gateway and do a path based routing using virtual service and access the url using web browser.
So in this case, I can’t have two services serving on same path(for example prefix : /)?
Two ways to achieve that:
i) Create two virtual services, a.mycompany.com and b.mycompany.com and attach them to ingressgateway (using istio Gateway) and route them to the respective services.
ii) Create a single virtual service and use host header match in virtual service to route traffic to different services.
Are you following the example here?: https://istio.io/docs/tasks/traffic-management/ingress/ingress-control/
Please read the virtual service spec to see complete list of supported attributes/features.
Hi Anil, Thanks for the response.
I can try option 1, but the problem is, for example if both of my services serves with prefix /isam, creating 2 virtual services will not work right?. I have 2 microservices for which I can give only / in the prefix which is causing this issue.
Defining two virtual services with respective hostnames should work and routes can be defined for both independently.
The following should work:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: ping-pong
namespace: test
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- ping.mesh.com
- pong.mesh.com
port:
name: https
number: 443
protocol: HTTPS
tls:
mode: SIMPLE
privateKey: /etc/istio/ingressgateway-certs/tls.key
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ping
namespace: test
spec:
gateways:
- ping-pong
hosts:
- ping.mesh.com
http:
- match:
- uri:
exact: /mesh/ping
rewrite:
uri: "/ping"
route:
- destination:
host: ping.demo.svc.cluster.local
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: pong
namespace: test
spec:
gateways:
- ping-pong
hosts:
- pong.mesh.com
http:
- match:
- uri:
exact: /mesh/pong
rewrite:
uri: "/pong"
route:
- destination:
host: pong.demo.svc.cluster.local
Thanks Anil for your response. I will try this.