Gateway

    For example, the following Gateway configuration sets up a proxy to act as a load balancer exposing port 80 and 9080 (http), 443 (https), 9443(https) and port 2379 (TCP) for ingress. The gateway will be applied to the proxy running on a pod with labels app: my-gateway-controller. While Istio will configure the proxy to listen on these ports, it is the responsibility of the user to ensure that external traffic to these ports are allowed into the mesh.

    The Gateway specification above describes the L4-L6 properties of a load balancer. A VirtualService can then be bound to a gateway to control the forwarding of traffic arriving at a particular host or gateway port.

    For example, the following VirtualService splits traffic for https://uk.bookinfo.com/reviews, https://eu.bookinfo.com/reviews, http://uk.bookinfo.com:9080/reviews, http://eu.bookinfo.com:9080/reviews into two versions (prod and qa) of an internal reviews service on port 9080. In addition, requests containing the cookie “user: dev-123” will be sent to special port 7777 in the qa version. The same rule is also applicable inside the mesh for requests to the “reviews.prod.svc.cluster.local” service. This rule is applicable across ports 443, 9080. Note that http://uk.bookinfo.com gets redirected to https://uk.bookinfo.com (i.e. 80 redirects to 443).

    1. apiVersion: networking.istio.io/v1alpha3
    2. kind: VirtualService
    3. metadata:
    4.   name: bookinfo-rule
    5.   namespace: bookinfo-namespace
    6. spec:
    7.   hosts:
    8.   - reviews.prod.svc.cluster.local
    9.   - uk.bookinfo.com
    10.   - eu.bookinfo.com
    11.   gateways:
    12.   - some-config-namespace/my-gateway
    13.   - mesh # applies to all the sidecars in the mesh
    14.   http:
    15.   - match:
    16.     - headers:
    17.         cookie:
    18.     route:
    19.     - destination:
    20.         port:
    21.           number: 7777
    22.         host: reviews.qa.svc.cluster.local
    23.   - match:
    24.     - uri:
    25.         prefix: /reviews/
    26.     route:
    27.     - destination:
    28.         port:
    29.           number: 9080 # can be omitted if it's the only port for reviews
    30.         host: reviews.prod.svc.cluster.local
    31.       weight: 80
    32.     - destination:
    33.         host: reviews.qa.svc.cluster.local
    34.       weight: 20

    The following VirtualService forwards traffic arriving at (external) port 27017 to internal Mongo server on port 5555. This rule is not applicable internally in the mesh as the gateway list omits the reserved name mesh.

    It is possible to restrict the set of virtual services that can bind to a gateway server using the namespace/hostname syntax in the hosts field. For example, the following Gateway allows any virtual service in the ns1 namespace to bind to it, while restricting only the virtual service with foo.bar.com host in the ns2 namespace to bind to it.

    1. apiVersion: networking.istio.io/v1alpha3
    2. kind: Gateway
    3. metadata:
    4.   name: my-gateway
    5.   namespace: some-config-namespace
    6. spec:
    7.     app: my-gateway-controller
    8.   servers:
    9.   - port:
    10.       number: 80
    11.       name: http
    13.     hosts:
    14.     - "ns1/*"
    15.     - "ns2/foo.bar.com"

    Gateway describes a load balancer operating at the edge of the mesh receiving incoming or outgoing HTTP/TCP connections.

    Port

    Port describes the properties of a specific port of a service.

    FieldTypeDescriptionRequired
    numberuint32

    A valid non-negative integer port number.

    		Yes
    protocolstring

    The protocol exposed on the port. MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS. TLS implies the connection will be routed based on the SNI header to the destination without terminating the TLS connection.

    		Yes
    namestring

    Label assigned to the port.

    		No

    Server describes the properties of the proxy on a given load balancer port. For example,

    Another example

    1. apiVersion: networking.istio.io/v1alpha3
    2. kind: Gateway
    3. metadata:
    4.   name: my-tcp-ingress
    5. spec:
    6.   selector:
    7.     app: my-tcp-ingress-gateway
    8.   servers:
    9.   - port:
    10.       number: 27018
    11.       name: mongo
    12.       protocol: MONGO
    13.     hosts:
    14.     - "*"

    Server.TLSOptions

    FieldTypeDescriptionRequired
    httpsRedirectbool

    If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS.

    		No
    modeTLSmode

    Optional: Indicates whether connections to this port should be secured using TLS. The value of this field determines how TLS is enforced.

    		No
    serverCertificatestring

    REQUIRED if mode is SIMPLE or MUTUAL. The path to the file holding the server-side TLS certificate to use.

    		No
    privateKeystring

    REQUIRED if mode is SIMPLE or MUTUAL. The path to the file holding the server’s private key.

    		No
    caCertificatesstring

    REQUIRED if mode is MUTUAL. The path to a file containing certificate authority certificates to use in verifying a presented client side certificate.

    		No
    credentialNamestring

    The credentialName stands for a unique identifier that can be used to identify the serverCertificate and the privateKey. The credentialName appended with suffix “-cacert” is used to identify the CaCertificates associated with this server. Gateway workloads capable of fetching credentials from a remote credential store such as Kubernetes secrets, will be configured to retrieve the serverCertificate and the privateKey using credentialName, instead of using the file system paths specified above. If using mutual TLS, gateway workload instances will retrieve the CaCertificates using credentialName-cacert. The semantics of the name are platform dependent. In Kubernetes, the default Istio supplied credential server expects the credentialName to match the name of the Kubernetes secret that holds the server certificate, the private key, and the CA certificate (if using mutual TLS). Set the ISTIO_META_USER_SDS metadata variable in the gateway’s proxy to enable the dynamic credential fetching feature.

    		No
    subjectAltNamesstring[]

    A list of alternate names to verify the subject identity in the certificate presented by the client.

    		No
    verifyCertificateSpkistring[]No
    verifyCertificateHashstring[]

    An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. Both simple and colon separated formats are acceptable. Note: When both verifycertificatehash and verifycertificatespki are specified, a hash matching either value will result in the certificate being accepted.

    		No
    minProtocolVersion

    Optional: Minimum TLS protocol version.

    		No
    maxProtocolVersionTLSProtocol

    Optional: Maximum TLS protocol version.

    		No
    cipherSuitesstring[]

    Optional: If specified, only support the specified cipher list. Otherwise default to the default cipher list supported by Envoy.

    		No

    TLS protocol versions.

    Server.TLSOptions.TLSmode

    TLS modes enforced by the proxy

    NameDescription
    PASSTHROUGH

    The SNI string presented by the client will be used as the match criterion in a VirtualService TLS route to determine the destination service from the service registry.

    SIMPLE

    Secure connections with standard TLS semantics.

    MUTUAL

    Secure connections to the downstream using mutual TLS by presenting server certificates for authentication.

    AUTO_PASSTHROUGH
    ISTIO_MUTUAL

    Secure connections from the downstream using mutual TLS by presenting server certificates for authentication. Compared to Mutual mode, this mode uses certificates, representing gateway workload identity, generated automatically by Istio for mTLS authentication. When this mode is used, all other fields in TLSOptions should be empty.