istio.io/_docs/tasks/ingress.md

title	overview	order	layout	type
Enabling Ingress Traffic	Describes how to configure Istio to expose a service outside of the service mesh.	30	docs	markdown

This task describes how to configure Istio to expose a service outside of the service mesh cluster. In a Kubernetes environment, Istio uses Kubernetes Ingress Resources to configure ingress behavior.

Before you begin

• Setup Istio by following the instructions in the Installation guide.

• Start the httpbin sample, which will be used as the destination service to be exposed externally.

Configuring ingress (HTTP)

1. Create the Ingress Resource for the httpbin service

   cat <<EOF | kubectl create -f -
   apiVersion: extensions/v1beta1
   kind: Ingress
   metadata:
     name: istio-ingress
     annotations:
       kubernetes.io/ingress.class: istio
   spec:
     rules:
     - http:
         paths:
         - path: /headers
           backend:
             serviceName: httpbin
             servicePort: 8000
         - path: /delay/.*
           backend:
             serviceName: httpbin
             servicePort: 8000
   EOF
   

   Notice that in this example we are only exposing httpbin's two endpoints: /headers as an exact URI path and /delay/ using an URI prefix.

2. Determine the ingress URL:

   If your cluster is running in an environment that supports external load balancers, use the ingress' external address:

   kubectl get ingress -o wide
   

   NAME            HOSTS     ADDRESS                 PORTS     AGE
   istio-ingress   *         130.211.10.121          80        1d
   

   export INGRESS_URL=130.211.10.121
   

   If load balancers are not supported, use the ingress controller's hostIP:

   kubectl get po -l istio=ingress -o jsonpath='{.items[0].status.hostIP}'
   

   169.47.243.100
   

   along with the istio-ingress service's nodePort for port 80:

   kubectl get svc istio-ingress
   

   NAME            CLUSTER-IP     EXTERNAL-IP   PORT(S)                      AGE
   istio-ingress   10.10.10.155   <pending>     80:31486/TCP,443:32254/TCP   32m
   
   

   export INGRESS_URL=169.47.243.100:31486
   
   

3. Access the httpbin service using curl:

   curl http://$INGRESS_URL/headers
   

   {
     "headers": {
   ...
   

Configuring secure ingress (HTTPS)

1. Generate keys if necessary

   A private key and certificate can be created for testing using OpenSSL.

   openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/tls.key -out /tmp/tls.crt -subj "/CN=foo.bar.com"
   

2. Create the secret using kubectl

   kubectl create secret tls ingress-secret --key /tmp/tls.key --cert /tmp/tls.crt
   

3. Create the Ingress Resource for the httpbin service

   cat <<EOF | kubectl create -f -
   apiVersion: extensions/v1beta1
   kind: Ingress
   metadata:
     name: secured-ingress
     annotations:
       kubernetes.io/ingress.class: istio
   spec:
     tls:
       - secretName: ingress-secret
     rules:
     - http:
         paths:
         - path: /html
           backend:
             serviceName: httpbin
             servicePort: 8000
   EOF
   

   Notice that in this example we are only exposing httpbin's /html endpoint.

   Remark: Envoy currently only allows a single TLS secret in the ingress since SNI is not yet supported.

4. Determine the secure ingress URL:

   If your cluster is running in an environment that supports external load balancers, use the ingress' external address:

   kubectl get ingress secured-ingress -o wide
   

   NAME              HOSTS     ADDRESS                 PORTS     AGE
   secured-ingress   *         130.211.10.121          80, 443   1d
   

   export SECURE_INGRESS_URL=130.211.10.121
   

   If load balancers are not supported, use the ingress controller's hostIP:

   kubectl get po -l istio=ingress -o jsonpath='{.items[0].status.hostIP}'
   

   169.47.243.100
   

   along with the istio-ingress service's nodePort for port 443:

   kubectl get svc istio-ingress
   

   NAME            CLUSTER-IP     EXTERNAL-IP   PORT(S)                      AGE
   istio-ingress   10.10.10.155   <pending>     80:31486/TCP,443:32254/TCP   32m
   
   

   export SECURE_INGRESS_URL=169.47.243.100:32254
   
   

5. Access the secured httpbin service using curl:

   curl -k https://$SECURE_INGRESS_URL/html
   

   <!DOCTYPE html>
   <html>
   ...
   

Setting Istio rules on an edge service

Similar to inter-cluster requests, Istio routing rules can also be set for edge services that are called from outside the cluster. To illustrate we will use istioctl to set a timeout rule on calls to the httpbin service.

1. Invoke the httpbin /delay endpoint you exposed previously:

   time curl http://$INGRESS_URL/delay/5
   

   ...
   real    0m5.024s
   user    0m0.003s
   sys     0m0.003s
   

   The request should return in approximately 5 seconds.

2. Use istioctl to set a 3s timeout on calls to the httpbin service

   cat <<EOF | istioctl create
   type: route-rule
   name: httpbin-3s-rule
   spec:
     destination: httpbin.default.svc.cluster.local
     http_req_timeout:
       simple_timeout:
         timeout: 3s
   EOF
   

   Note that you may need to change default namespace to the namespace of httpbin application.

3. Wait a few seconds, then issue the curl request again:

   time curl http://$INGRESS_URL/delay/5
   

   ...
   real    0m3.022s
   user    0m0.004s
   sys     0m0.003s
   

   This time the response appears after 3 seconds. Although httpbin was waiting 5 seconds, Istio cut off the request at 3 seconds.

Understanding ingress

In the preceding steps we created a service inside the Istio network mesh and exposed it to external traffic through ingresses.

What's next

• Learn how to expose external services by enabling egress traffic.

• Learn more about routing rules.