Istio-ingressgateway controller and namespaces

#1

Do I need to create an istio-ingressgateway controller in every namespace I use, or can all my gateways in all namespaces use the one in the istio-system namespace? If they all use the one in istio-system, do I need to specify the namespace of the controller in some way when declaring the gateway resource?

For example, if I declare a gateway resource and a virtualservice resource in a namespace called “dev”, will they be able to access the ingressgateway controller in istio-system? Or do I need to specify that somehow when declaring the gateway and virtualservice?

Thanks

#2

Maybe this helps?

https://blog.jayway.com/2018/10/22/understanding-istio-ingress-gateway-in-kubernetes/

#3

A little, but he creates one big gateway in the istio-system namespace. It’s unclear what the behavior should be for a gateway in another namespace.

#4

From my experiments (I know enough to be dangerous…) I created one instance of istio ingress gateway, and multiple (per namespace) gateway instances.

#5

No. Just one istio-ingressgateway deployment in the istio-system namespace is fine. Then you have Gateway resources in different namespaces and pilot will send the correct configuration to the istio-ingressgateway replicas.
See following reply.

#6

In 1.1 this is changing a bit - the Gateway resource should be in same namespace as the gateway(the service, deployment, certificates). The default is istio-system - but you can run it in other namespace, or in multiple namespaces if you need to. Each namespace will have a different load balancer IP and may handle different domains with different certs.

#7

Thanks, so best practice for both 1.0 and 1.1 is to deploy the gateway resource in the istio-system namespace and the virtualservice in any namespace? And Pilot will help everything find each other?

#8

I’m using a generic ingress gateway deployed in the istio-system namespace:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: public-gateway
  namespace: istio-system
spec:
  selector:
    istio: ingressgateway
  servers:
    - port:
        number: 80
        name: http
        protocol: HTTP
      hosts:
        - "*"
      tls:
        httpsRedirect: true
    - port:
        number: 443
        name: https
        protocol: HTTPS
      hosts:
        - "*"
      tls:
        mode: SIMPLE
        privateKey: /etc/istio/ingressgateway-certs/tls.key
        serverCertificate: /etc/istio/ingressgateway-certs/tls.crt

The virtual services are deployed to different namespaces but they all refer the gateway in kube-system namespace:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: frontend
  namespace: test
spec:
  gateways:
    - public-gateway.istio-system.svc.cluster.local
    - mesh
  hosts:
    - frontend.example.com
    - frontend
  http:
  - appendHeaders:
      x-envoy-max-retries: "10"
      x-envoy-retry-on: gateway-error,connect-failure,refused-stream
      x-envoy-upstream-rq-timeout-ms: "15000"
    route:
    - destination:
        host: podinfo
        port:
          number: 9898
      weight: 100
#9

You mean the “istio-system” namespace.