istio.io/_docs/tasks/ingress.md

title	overview	order	layout	type
Enabling Ingress Traffic	Describes how to configure Istio to expose a service outside of the service mesh.	30	docs	markdown

This task describes how to configure Istio to expose a service outside of the service mesh cluster. In a Kubernetes environment, Istio uses Kubernetes Ingress Resources to configure ingress behavior.

Before you begin

• Setup Istio by following the instructions in the Installation guide.

• Start the httpbin sample, which will be used as the destination service to be exposed externally.

Configuring ingress (HTTP)

1. Create the Ingress Resource for the httpbin service

   cat <<EOF | kubectl create -f -
   apiVersion: extensions/v1beta1
   kind: Ingress
   metadata:
     name: istio-ingress
     annotations:
       kubernetes.io/ingress.class: istio
   spec:
     rules:
     - http:
         paths:
         - path: /headers
           backend:
             serviceName: httpbin
             servicePort: 8000
         - path: /delay/.*
           backend:
             serviceName: httpbin
             servicePort: 8000
   EOF
   

   Notice that in this example we are only exposing httpbin's /headers and /delay endpoints.

2. Determine the ingress URL:

   If your cluster is running in an environment that supports external load balancers, use the ingress' external address:

   kubectl get ingress -o wide
   

   NAME      HOSTS     ADDRESS                 PORTS     AGE
   gateway   *         130.211.10.121          80        1d
   export INGRESS_URL=130.211.10.121:80
   

   If load balancers are not supported, use the service NodePort instead:

   export INGRESS_URL=$(kubectl get po -l istio=ingress -o jsonpath='{.items[0].status.hostIP}'):$(kubectl get svc istio-ingress -o jsonpath='{.spec.ports[0].nodePort}')
   

3. Access the httpbin service using curl:

   curl http://$INGRESS_URL/headers
   

   {
     "headers": {
       "Accept": "*/*", 
       "Content-Length": "0", 
       "Host": "httpbin.default.svc.cluster.local:8000", 
       "User-Agent": "curl/7.35.0", 
       "X-Envoy-Expected-Rq-Timeout-Ms": "15000", 
       "X-Request-Id": "59cf4fce-72e0-4470-ade5-f59149705944"
     }
   }
   

Configuring secure ingress (HTTPS)

1. Generate keys if necessary

   A private key and certificate can be created for testing using OpenSSL.

   openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/tls.key -out /tmp/tls.crt -subj "/CN=foo.bar.com"
   

2. Create the secret using kubectl

   kubectl create secret tls ingress-secret --key /tmp/tls.key --cert /tmp/tls.crt
   

3. Create the Ingress Resource for the httpbin service

   cat <<EOF | kubectl create -f -
   apiVersion: extensions/v1beta1
   kind: Ingress
   metadata:
     name: secured-ingress
     annotations:
       kubernetes.io/ingress.class: istio
   spec:
     tls:
       - secretName: ingress-secret
     rules:
     - http:
         paths:
         - path: /html
           backend:
             serviceName: httpbin
             servicePort: 8000
   EOF
   

   Notice that in this example we are only exposing httpbin's /html endpoint.

   Remark: Envoy currently only allows a single TLS secret in the ingress since SNI is not yet supported.

4. Access the secured httpbin service using curl:

   curl -k https://$INGRESS_URL/html
   

   <!DOCTYPE html>
   <html>
   ...
   

Setting Istio rules on an edge service

Similar to inter-cluster requests, Istio routing rules can also be set for edge services that are called from outside the cluster. To illustrate we will use istioctl to set a timeout rule on calls to the httpbin service.

1. Invoke the httpbin /delay endpoint you exposed previously:

   time curl http://$INGRESS_URL/delay/5
   

   ...
   real    0m5.024s
   user    0m0.003s
   sys     0m0.003s
   

   The request should return in approximately 5 seconds.

2. Use istioctl to set a 3s timeout on calls to the httpbin service

   cat <<EOF | istioctl create
   type: route-rule
   name: httpbin-3s-rule
   spec:
     destination: httpbin.default.svc.cluster.local
     http_req_timeout:
       simple_timeout:
         timeout: 3s
   EOF
   

   Note that you may need to change default namespace to the namespace of httpbin application.

3. Wait a few seconds, then issue the curl request again:

   time curl http://$INGRESS_URL/delay/5
   

   ...
   real    0m3.022s
   user    0m0.004s
   sys     0m0.003s
   

   This time the response appears after 3 seconds. Although httpbin was waiting 5 seconds, Istio cut off the request at 3 seconds.

Understanding ingress

In the preceding steps we created a service inside the Istio network mesh and exposed it to external traffic through ingresses.

What's next

• Learn how to expose external services by enabling egress traffic.

• Learn more about routing rules.