GAP Documentation
GitHub Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Let's get started!
  2. /
  3. Platform admin
  4. /
  5. Egress GW discoveries
  6. /
  7. Discovery - Setting up a simple k8s API Egress Gateway with HTTPRoute
Edit page

Discovery - Setting up a simple k8s API Egress Gateway with HTTPRoute

For admin use only! This is a work in progress document!

Objectives

Deploy an egress gateway for use with the Contact Data Service and DWH connections.

Setup for testing

We will be using the Kubernetes Gateway API. Using this method will not require us to separately deploy a Gateway deployment using a Helm chart (as we’ve tried to do so previously). We will be using Istio’s guide for our test setup.

https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/

Step 0

It is a prerequisite to have a Pod from where requests can be sent. This Pod can include a Netshoot container for example:

apiVersion: v1
kind: Pod
metadata:
  name: netshoot-unprivileged-meshed
  namespace: cloud-platform
  labels:
    app: netshoot-unprivileged-meshed
    istio.io/rev: default
spec:
  containers:
  - name: netshoot-unprivileged
    resources:
      limits:
        cpu: 50m
        memory: 50Mi
      requests:
        cpu: 50m
        memory: 50Mi
    image: eu.gcr.io/ems-gap-images/netshoot-unprivileged:latest
    command: ["/bin/sleep", "3650d"]
    imagePullPolicy: IfNotPresent
    securityContext:
      runAsUser: 1000
  restartPolicy: Always

Step 1

Create a ServiceEntry resource, for the host that will need to be reached via the egress Gateway.

Do not forget the exportTo field, which is not featured in Istio’s example. It is needed to avoid messing with the service discovery in other namespaces.
apiVersion: networking.istio.io/v1
kind: ServiceEntry
metadata:
  name: test-service-entry
  namespace: cloud-platform
spec:
  exportTo:
  - "."
  hosts:
  - edition.cnn.com
  ports:
  - number: 80
    name: http-port
    protocol: HTTP
  - number: 443
    name: https
    protocol: HTTPS
  resolution: DNS

Step 2

Create a Gateway resource. This will prompt some controllers in istiod to implicitly create a ClusterIP type service and a Deployment for the Gateway.

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: cnn-egress-gateway
  namespace: cloud-platform
  annotations:
    networking.istio.io/service-type: ClusterIP
spec:
  gatewayClassName: istio
  listeners:
  - name: http
    hostname: edition.cnn.com
    port: 80
    protocol: HTTP
    allowedRoutes:
      namespaces:
        from: Same

Step 3

Finally, we need to route the traffic of the service above through the egress Gateway. To achieve this, we’ll need to create two HTTPRoute resources. The first one will route the traffic from the ServiceEntry to the egress Gateway, the second will forward it from the egress Gateway to the actual destination host.

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: direct-cnn-to-egress-gateway
  namespace: cloud-platform
spec:
  parentRefs:
  - kind: ServiceEntry
    group: networking.istio.io
    name: test-service-entry
  rules:
  - backendRefs:
    - name: cnn-egress-gateway-istio
      port: 80
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: forward-cnn-from-egress-gateway
  namespace: cloud-platform
spec:
  parentRefs:
  - name: cnn-egress-gateway
  hostnames:
  - edition.cnn.com
  rules:
  - backendRefs:
    - kind: Hostname
      group: networking.istio.io
      name: edition.cnn.com
      port: 80

Setup for production use case

This section is a work in progress.

For our actual use case, we’ll need to generalise the Gateway resource. In the spec.listeners[0] object, if we remove the hostname key/value pair, the listener will match all hostnames. Also in the same spec.listeners[0] object, the allowedRoutes.namespaces.from will need to be extended to all namespaces in which serviceEntries will be deployed for use with the egress gateway.