Istio-ingressgateway controller and namespaces

Do I need to create an istio-ingressgateway controller in every namespace I use, or can all my gateways in all namespaces use the one in the istio-system namespace? If they all use the one in istio-system, do I need to specify the namespace of the controller in some way when declaring the gateway resource?

For example, if I declare a gateway resource and a virtualservice resource in a namespace called “dev”, will they be able to access the ingressgateway controller in istio-system? Or do I need to specify that somehow when declaring the gateway and virtualservice?

Thanks

3 Likes

Maybe this helps?

https://blog.jayway.com/2018/10/22/understanding-istio-ingress-gateway-in-kubernetes/

1 Like

A little, but he creates one big gateway in the istio-system namespace. It’s unclear what the behavior should be for a gateway in another namespace.

From my experiments (I know enough to be dangerous…) I created one instance of istio ingress gateway, and multiple (per namespace) gateway instances.

No. Just one istio-ingressgateway deployment in the istio-system namespace is fine. Then you have Gateway resources in different namespaces and pilot will send the correct configuration to the istio-ingressgateway replicas.
See following reply.

In 1.1 this is changing a bit - the Gateway resource should be in same namespace as the gateway(the service, deployment, certificates). The default is istio-system - but you can run it in other namespace, or in multiple namespaces if you need to. Each namespace will have a different load balancer IP and may handle different domains with different certs.

Thanks, so best practice for both 1.0 and 1.1 is to deploy the gateway resource in the istio-system namespace and the virtualservice in any namespace? And Pilot will help everything find each other?

I’m using a generic ingress gateway deployed in the istio-system namespace:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: public-gateway
  namespace: istio-system
spec:
  selector:
    istio: ingressgateway
  servers:
    - port:
        number: 80
        name: http
        protocol: HTTP
      hosts:
        - "*"
      tls:
        httpsRedirect: true
    - port:
        number: 443
        name: https
        protocol: HTTPS
      hosts:
        - "*"
      tls:
        mode: SIMPLE
        privateKey: /etc/istio/ingressgateway-certs/tls.key
        serverCertificate: /etc/istio/ingressgateway-certs/tls.crt

The virtual services are deployed to different namespaces but they all refer the gateway in kube-system namespace:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: frontend
  namespace: test
spec:
  gateways:
    - public-gateway.istio-system.svc.cluster.local
    - mesh
  hosts:
    - frontend.example.com
    - frontend
  http:
  - appendHeaders:
      x-envoy-max-retries: "10"
      x-envoy-retry-on: gateway-error,connect-failure,refused-stream
      x-envoy-upstream-rq-timeout-ms: "15000"
    route:
    - destination:
        host: podinfo
        port:
          number: 9898
      weight: 100
2 Likes

You mean the “istio-system” namespace.

At least as of Istio v1.2.0, you can use a single istio-ingressgateway controller to serve multiple Gateway’s co-located in the application namespaces (and the Gateway’s can successfully refer to the controller in istio-system). The docs have an example here.

yes, you are right.
but why the istio (1.4) doc still saying gateway and deployment should in the same namespaces:


is the doc wrong?

I suspect it’s wrong and needs to be updated, but I haven’t tested on 1.4

Same question here. The document is quite confusing. I am new to istio. The gateway selector confuse me a lot.

As a better solution design, you should create multiple ingress gateway in each namespace. All this gateways use/refer the same istio-ingressgateway deployed in istio-sytem namespace. The namespace should be a boundary/container fronted by gateway exposing different virtual services deployed along with destination rules and deployments.

I like the approach. In such case, will it be using a public IP address per each namespace? Could you please provide a simple hello world example? Thanks!

@stefanprodan’s example worked for me. I have created only gateway in istio-system namespace, and added multiple hosts inside, then I have created multiple virtualservices in different namespaces. It worked.
declaration must be like following:

  gateways:
    - istio-system/public-gateway