Multiple ingress controller services via IstioOperator?

dsb · July 23, 2020, 12:05am

Does Istio support having multiple ingress controller services, especially when configured using istioctl manifest generate -f ... with a IstioOperator file specifying multiple items under ingressGateway?

I think I need to have two separate ingress controller services, so I can add different annotations to their Service objects so I can configure their (AWS) load balancers differently. (I need one to be internal and the other to be external.)

When I try to generate K8s manifests as above (with two ingresses), I get two Deployment objects each of whose label selector seems to match both Deployments’ pods, not just its own pods). (There’s something different between the pods’ labels in the Deployments’ pod templates, but there’s nothing different in the labels in the Deployments’ label selectors.) That is, it looks like both Deployments will think they own/manage each pod.

serrien · July 29, 2020, 7:48am

@dsb

Hello,

Istio support having multiple ingress controller services configured with Operator but you need to configure overlays for each ingress gateway.

ingressGateways:
    - name: ingressgateway-private
            namespace: istio-system
            enabled: true
            k8s:
              serviceAnnotations:
                service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
                service.beta.kubernetes.io/aws-load-balancer-internal: "true"
              hpaSpec:
                minReplicas: 2
             overlays:
                - kind: HorizontalPodAutoscaler
                  name: ingressgateway-private
                  patches:
                    - path: metadata.labels.app
                      value: ingressgateway-private
                    - path: metadata.labels.istio
                      value: ingressgateway-private
                    - path: spec.scaleTargetRef.name
                      value: ingressgateway-private
                - kind: Deployment
                  name: ingressgateway-private
                  patches:
                    - path: metadata.labels.app
                      value: ingressgateway-private
                    - path: metadata.labels.istio
                      value: ingressgateway-private
                    - path: spec.selector.matchLabels.app
                      value: ingressgateway-private
                    - path: spec.selector.matchLabels.istio
                      value: ingressgateway-private
                    - path: spec.template.metadata.labels.app
                      value: ingressgateway-private
                    - path: spec.template.metadata.labels.istio
                      value: ingressgateway-private
                - kind: Service
                  name: ingressgateway-private
                  patches:
                    - path: metadata.labels.app
                      value: ingressgateway-private
                    - path: metadata.labels.istio
                      value: ingressgateway-private
                    - path: spec.selector.app
                      value: ingressgateway-private
                    - path: spec.selector.istio
                      value: ingressgateway-private
                - kind: PodDisruptionBudget
                  name: ingressgateway-private
                  patches:
                    - path: metadata.name
                      value: ingressgateway-private
                    - path: metadata.labels.app
                      value: ingressgateway-private
                    - path: metadata.labels.istio
                      value: ingressgateway-private
                    - path: spec.selector.matchLabels.app
                      value: ingressgateway-private
                    - path: spec.selector.matchLabels.istio
                      value: ingressgateway-private

Crayeth · July 29, 2020, 7:51am

Hi!, this should be possible we use the following in Istio 1.6.5;

    ingressGateways:
      - name: istio-ingressgateway
        enabled: true
      - name: internal-ingressgateway
        enabled: true
        label:
          istio: internal-ingressgateway
          app: internal-istio-ingressgateway
        k8s:
          serviceAnnotations:
            service.beta.kubernetes.io/azure-load-balancer-internal: "true"

serrien · July 29, 2020, 9:27am

@Crayeth

It’s cool if overlays no longer need to be specified for this case.

IbraheemAlSaady · August 25, 2020, 1:36pm

@Crayeth I have a similar setup to the one you mentioned. I also want to put the ingress.class annotation to my ingress object and specify which controller to process it. Currently there is only the istio class, how can I have an istio-internal class for example?
Thanks

CSimpiFoN · March 8, 2021, 3:07pm

Hello,

How can it be made work? For me, Istio Operator fails with immutable field if I want to add/change labels of ingresses.

Topic		Replies	Views
Kubernetes Ingress with Multiple Istio Gateway Controllers Networking	1	588	March 23, 2020
Single control-plane with multiple ingress gateways	0	468	December 27, 2019
IstioControlPlane API - how to create multiple ingress gateways Networking	3	3386	July 23, 2020
Could I deploy multiple istio controllers in a k8s cluster?	4	460	February 10, 2021
Attaching multiple gateways to istio's ingressgateway	8	13527	August 4, 2021

Multiple ingress controller services via IstioOperator?

Related topics