istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

A few gateway install clarifications (#9878)

This commit is contained in:
Frank Budinsky 2021-06-03 16:13:19 -04:00 committed by GitHub
parent 7a9003e78c
commit 0bd422fe25
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 23 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
content/en/docs/setup/additional-setup/gateway/index.md
View File

@ -8,25 +8,38 @@ test: no
--- ---
Along with creating a service mesh, Istio allows you to manage [gateways](/docs/concepts/traffic-management/#gateways), Along with creating a service mesh, Istio allows you to manage [gateways](/docs/concepts/traffic-management/#gateways),
which run at the edge of the mesh, providing fine-grained control over traffic entering and leaving the mesh. which are Envoy proxies running at the edge of the mesh, providing fine-grained control over traffic entering and leaving the mesh.
Follow this guide to deploy one or more gateways. Some of Istio's built in [configuration profiles](/docs/setup/additional-setup/config-profiles/) deploy gateways during installation.
For example, a call to `istioctl install` with [default settings](/docs/setup/install/istioctl/#install-istio-using-the-default-profile)
will deploy an ingress gateway along with the control plane.
Although fine for evaluation and simple use cases, this couples the gateway to the control plane, making management and upgrade more complicated.
For production Istio deployments, it is highly recommended to decouple these to allow independent operation.
Follow this guide to separately deploy and manage one or more gateways in a production installation of Istio.
## Prerequisites ## Prerequisites
This guide requires the Istio control plane [to be installed](/docs/setup/install/) before proceeding. This guide requires the Istio control plane [to be installed](/docs/setup/install/) before proceeding.
## Installing the gateway with injection {{< tip >}}
You can use the `minimal` profile, for example `istioctl install --set profile=minimal`, to prevent any gateways from being deployed
during installation.
{{< /tip >}}
Using the same mechanisms as [Istio sidecar injection](/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection), the Envoy proxy configuration for gateways can similarly be auto-injected. ## Deploying a gateway
This gives developers full control over the gateway deployment, while also simplifying operations. Using the same mechanisms as [Istio sidecar injection](/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection),
the Envoy proxy configuration for gateways can similarly be auto-injected.
Using auto-injection for gateway deployments is recommended as it gives developers full control over the gateway deployment,
while also simplifying operations.
When a new upgrade is available, or a configuration has changed, gateway pods can be updated by simply restarting them. When a new upgrade is available, or a configuration has changed, gateway pods can be updated by simply restarting them.
This makes the experience of operating a gateway deployment the same as operating sidecars. This makes the experience of operating a gateway deployment the same as operating sidecars.
To support users with existing deployment tools, Istio provides a few different ways to deploy a gateway. To support users with existing deployment tools, Istio provides a few different ways to deploy a gateway.
Each method will produce the same result. Each method will produce the same result.
Choose the method you are most familiar with: Choose the method you are most familiar with.
{{< tip >}} {{< tip >}}
As a security best practice, it is recommended to deploy the gateway in a different namespace from the control plane. As a security best practice, it is recommended to deploy the gateway in a different namespace from the control plane.
@ -36,11 +49,6 @@ As a security best practice, it is recommended to deploy the gateway in a differ
{{< tab name="IstioOperator" category-value="iop" >}} {{< tab name="IstioOperator" category-value="iop" >}}
A call to `istioctl install` with [default settings](/docs/setup/install/istioctl/#install-istio-using-the-default-profile) will deploy a gateway by default.
However, this couples it to the control plane, making management and upgrade more complicated.
It is highly recommended to decouple these and allow independent operation.
This can be done by selecting the `minimal` profile, for example `istioctl install --set profile=minimal`.
First, setup an `IstioOperator` configuration file, called `ingress.yaml` here: First, setup an `IstioOperator` configuration file, called `ingress.yaml` here:
{{< text yaml >}} {{< text yaml >}}
@ -169,8 +177,11 @@ subjects:
name: default name: default
{{< /text >}} {{< /text >}}
{{< warning >}}
This example shows the bare minimum needed to get a gateway running. For production usage, additional This example shows the bare minimum needed to get a gateway running. For production usage, additional
configuration such as Horizontal Pod Autoscaler, Pod Disruption Budget, and resource requests/limits are recommended. configuration such as `HorizontalPodAutoscaler`, `PodDisruptionBudget`, and resource requests/limits are recommended.
These are automatically included when using the other gateway installation methods.
{{< /warning >}}
{{< tip >}} {{< tip >}}
The `sidecar.istio.io/inject` label on the pod is used in this example to enable injection. Just like application sidecar injection, this can instead be controlled at the namespace level. The `sidecar.istio.io/inject` label on the pod is used in this example to enable injection. Just like application sidecar injection, this can instead be controlled at the namespace level.