GAP Documentation
GitHub Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Let's get started!
  2. /
  3. Platform admin
  4. /
  5. Egress GW discoveries
  6. /
  7. Discovery - Setting up an Istio API Egress Gateway with TLSRoute and passthrough
Edit page

Discovery - Setting up an Istio API Egress Gateway with TLSRoute and passthrough

For admin use only!

Objectives

Deploy an egress gateway for use with the Contact Data Service and DWH connections.

Setup for testing

We will be using the Istio Gateway helm chart to deploy the egress gateway proxy.

The setup is similar to the Istio https egress routing guide

Step 0

It is a prerequisite to have a Pod from where requests can be sent. This Pod can include a Netshoot container for example:

apiVersion: v1
kind: Pod
metadata:
  name: netshoot-unprivileged-meshed
  namespace: cloud-platform
  labels:
    app: netshoot-unprivileged-meshed
    istio.io/rev: default
spec:
  containers:
  - name: netshoot-unprivileged
    resources:
      limits:
        cpu: 50m
        memory: 50Mi
      requests:
        cpu: 50m
        memory: 50Mi
    image: eu.gcr.io/ems-gap-images/netshoot-unprivileged:latest
    command: ["/bin/sleep", "3650d"]
    imagePullPolicy: IfNotPresent
    securityContext:
      runAsUser: 1000
  restartPolicy: Always

Step 1

Create a ServiceEntry resource, for the host that will need to be reached via the egress Gateway.

Do not forget the exportTo field, which is not featured in Istio’s example. It is needed to avoid messing with the service discovery in other namespaces.
apiVersion: networking.istio.io/v1
kind: ServiceEntry
metadata:
  name: httpbin
  namespace: tooling
  labels:
    doNotRequireExportTo: enabled
spec:
  exportTo:
  - .
  - istio-egress-gateway
  hosts:
  - httpbin.org
  ports:
  - number: 443
    name: tls
    protocol: TLS
  resolution: DNS

Step 2

Create a Gateway resource. This has a selector to use the gateway proxy deployment which is deployed via the chart. Please note that the selector label is a label from the actual gateway proxy deployment, the value can change based on the name of the deployment.

apiVersion: networking.istio.io/v1
kind: Gateway
metadata:
  name: istio-egress-gateway-httpbin
  namespace: tooling
spec:
  selector:
    istio: egress-gateway
  servers:
  - port:
      number: 443
      name: tls
      protocol: TLS
    hosts:
    - httpbin.org
    tls:
      mode: PASSTHROUGH

Step 3

Finally, we need to route the traffic of the service above through the egress Gateway. To achieve this, we’ll need to create a VirtualService to handle the routing. The first tls rule routes any httpbin.org sni host traffic to the gateway deployment service, the latter routes to the actual host once traffic reaches the gateway.

apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
  name: direct-httpbin-through-egress-gateway
  namespace: tooling
spec:
  exportTo:
  - "."
  - istio-egress-gateway
  hosts:
  - httpbin.org
  gateways:
  - mesh
  - istio-egress-gateway-httpbin
  tls:
  - match:
    - gateways:
      - mesh
      port: 443
      sniHosts:
      - httpbin.org
    route:
    - destination:
        host: istio-egress-gateway.istio-egress-gateway.svc.cluster.local
        port:
          number: 443
  - match:
    - gateways:
      - istio-egress-gateway-httpbin
      port: 443
      sniHosts:
      - httpbin.org
    route:
    - destination:
        host: httpbin.org
        port:
          number: 443
      weight: 100

Setup for production use case

This section is a work in progress.
  • Generalization could be applied to the Gateway resource.
  • As host the latter rule in the Virtual Service cannot be set to route to wildcard hosts by itself, care must be taken when not using the wildcard egress gateway.