Istio-ingressgateway controller and namespaces

kylebe · March 5, 2019, 9:01pm

Do I need to create an istio-ingressgateway controller in every namespace I use, or can all my gateways in all namespaces use the one in the istio-system namespace? If they all use the one in istio-system, do I need to specify the namespace of the controller in some way when declaring the gateway resource?

For example, if I declare a gateway resource and a virtualservice resource in a namespace called “dev”, will they be able to access the ingressgateway controller in istio-system? Or do I need to specify that somehow when declaring the gateway and virtualservice?

Thanks

Warren_Strange · March 5, 2019, 10:49pm

Maybe this helps?

https://blog.jayway.com/2018/10/22/understanding-istio-ingress-gateway-in-kubernetes/

kylebe · March 5, 2019, 11:36pm

A little, but he creates one big gateway in the istio-system namespace. It’s unclear what the behavior should be for a gateway in another namespace.

Warren_Strange · March 5, 2019, 11:59pm

From my experiments (I know enough to be dangerous…) I created one instance of istio ingress gateway, and multiple (per namespace) gateway instances.

dwradcliffe · March 6, 2019, 2:56am

No. Just one istio-ingressgateway deployment in the istio-system namespace is fine. Then you have Gateway resources in different namespaces and pilot will send the correct configuration to the istio-ingressgateway replicas.
See following reply.

Costin_Manolache1 · March 6, 2019, 3:16am

In 1.1 this is changing a bit - the Gateway resource should be in same namespace as the gateway(the service, deployment, certificates). The default is istio-system - but you can run it in other namespace, or in multiple namespaces if you need to. Each namespace will have a different load balancer IP and may handle different domains with different certs.

kylebe · March 6, 2019, 1:40pm

Thanks, so best practice for both 1.0 and 1.1 is to deploy the gateway resource in the istio-system namespace and the virtualservice in any namespace? And Pilot will help everything find each other?

stefanprodan · March 6, 2019, 2:45pm

I’m using a generic ingress gateway deployed in the istio-system namespace:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: public-gateway
  namespace: istio-system
spec:
  selector:
    istio: ingressgateway
  servers:
    - port:
        number: 80
        name: http
        protocol: HTTP
      hosts:
        - "*"
      tls:
        httpsRedirect: true
    - port:
        number: 443
        name: https
        protocol: HTTPS
      hosts:
        - "*"
      tls:
        mode: SIMPLE
        privateKey: /etc/istio/ingressgateway-certs/tls.key
        serverCertificate: /etc/istio/ingressgateway-certs/tls.crt

The virtual services are deployed to different namespaces but they all refer the gateway in kube-system namespace:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: frontend
  namespace: test
spec:
  gateways:
    - public-gateway.istio-system.svc.cluster.local
    - mesh
  hosts:
    - frontend.example.com
    - frontend
  http:
  - appendHeaders:
      x-envoy-max-retries: "10"
      x-envoy-retry-on: gateway-error,connect-failure,refused-stream
      x-envoy-upstream-rq-timeout-ms: "15000"
    route:
    - destination:
        host: podinfo
        port:
          number: 9898
      weight: 100

icarusin · March 26, 2019, 5:47pm

You mean the “istio-system” namespace.

kvudata · July 4, 2019, 1:04am

At least as of Istio v1.2.0, you can use a single istio-ingressgateway controller to serve multiple Gateway’s co-located in the application namespaces (and the Gateway’s can successfully refer to the controller in istio-system). The docs have an example here.

zhongfox · November 29, 2019, 8:08am

yes, you are right.
but why the istio (1.4) doc still saying gateway and deployment should in the same namespaces:

is the doc wrong?

kvudata · November 30, 2019, 4:34pm

I suspect it’s wrong and needs to be updated, but I haven’t tested on 1.4

popcornylu · January 7, 2020, 11:13pm

Same question here. The document is quite confusing. I am new to istio. The gateway selector confuse me a lot.

Kamesh_Chauhan · April 28, 2020, 2:48am

As a better solution design, you should create multiple ingress gateway in each namespace. All this gateways use/refer the same istio-ingressgateway deployed in istio-sytem namespace. The namespace should be a boundary/container fronted by gateway exposing different virtual services deployed along with destination rules and deployments.

Eduardo_Lago_Aguilar · September 7, 2020, 3:39pm

I like the approach. In such case, will it be using a public IP address per each namespace? Could you please provide a simple hello world example? Thanks!

edib · October 26, 2021, 7:33pm

@stefanprodan’s example worked for me. I have created only gateway in istio-system namespace, and added multiple hosts inside, then I have created multiple virtualservices in different namespaces. It worked.
declaration must be like following:

  gateways:
    - istio-system/public-gateway

Topic		Replies	Views
Ingressgateway for namespaces	2	501	February 21, 2020
Recommendations on ingress/egress Gateways/VirtualService architectures Networking	1	702	October 9, 2020
Organizing VirtualServices and Gateways	1	767	March 13, 2019
Organizing VirtualServices and Gateways (x-post)	0	590	January 29, 2019
Create ingressgateway successful, but can't find the gateway in any namespaces Networking	1	301	May 14, 2023

Istio-ingressgateway controller and namespaces

Related topics