Istio-ingressgateway controller and namespaces

Do I need to create an istio-ingressgateway controller in every namespace I use, or can all my gateways in all namespaces use the one in the istio-system namespace? If they all use the one in istio-system, do I need to specify the namespace of the controller in some way when declaring the gateway resource?

For example, if I declare a gateway resource and a virtualservice resource in a namespace called “dev”, will they be able to access the ingressgateway controller in istio-system? Or do I need to specify that somehow when declaring the gateway and virtualservice?



Maybe this helps?

A little, but he creates one big gateway in the istio-system namespace. It’s unclear what the behavior should be for a gateway in another namespace.

From my experiments (I know enough to be dangerous…) I created one instance of istio ingress gateway, and multiple (per namespace) gateway instances.

No. Just one istio-ingressgateway deployment in the istio-system namespace is fine. Then you have Gateway resources in different namespaces and pilot will send the correct configuration to the istio-ingressgateway replicas.
See following reply.

In 1.1 this is changing a bit - the Gateway resource should be in same namespace as the gateway(the service, deployment, certificates). The default is istio-system - but you can run it in other namespace, or in multiple namespaces if you need to. Each namespace will have a different load balancer IP and may handle different domains with different certs.

Thanks, so best practice for both 1.0 and 1.1 is to deploy the gateway resource in the istio-system namespace and the virtualservice in any namespace? And Pilot will help everything find each other?

I’m using a generic ingress gateway deployed in the istio-system namespace:

kind: Gateway
  name: public-gateway
  namespace: istio-system
    istio: ingressgateway
    - port:
        number: 80
        name: http
        protocol: HTTP
        - "*"
        httpsRedirect: true
    - port:
        number: 443
        name: https
        protocol: HTTPS
        - "*"
        mode: SIMPLE
        privateKey: /etc/istio/ingressgateway-certs/tls.key
        serverCertificate: /etc/istio/ingressgateway-certs/tls.crt

The virtual services are deployed to different namespaces but they all refer the gateway in kube-system namespace:

kind: VirtualService
  name: frontend
  namespace: test
    - public-gateway.istio-system.svc.cluster.local
    - mesh
    - frontend
  - appendHeaders:
      x-envoy-max-retries: "10"
      x-envoy-retry-on: gateway-error,connect-failure,refused-stream
      x-envoy-upstream-rq-timeout-ms: "15000"
    - destination:
        host: podinfo
          number: 9898
      weight: 100
1 Like

You mean the “istio-system” namespace.

At least as of Istio v1.2.0, you can use a single istio-ingressgateway controller to serve multiple Gateway’s co-located in the application namespaces (and the Gateway’s can successfully refer to the controller in istio-system). The docs have an example here.

yes, you are right.
but why the istio (1.4) doc still saying gateway and deployment should in the same namespaces:

is the doc wrong?

I suspect it’s wrong and needs to be updated, but I haven’t tested on 1.4

Same question here. The document is quite confusing. I am new to istio. The gateway selector confuse me a lot.

As a better solution design, you should create multiple ingress gateway in each namespace. All this gateways use/refer the same istio-ingressgateway deployed in istio-sytem namespace. The namespace should be a boundary/container fronted by gateway exposing different virtual services deployed along with destination rules and deployments.

I like the approach. In such case, will it be using a public IP address per each namespace? Could you please provide a simple hello world example? Thanks!