Expose an ingress gateway using an external load balancer

Overview

With Cloud Service Mesh you can deploy and manage ingress gateways as part of yourservice mesh. You can further configure load balancing for your cluster withCloud Service Mesh by using external load balancers (physical or software loadbalancers outside of the cluster) to send traffic to the ingress gateway.

This page shows you how to configure an external load balancer with Cloud Service Mesh.Alternatively, you canset up ingress with multiple backend configs.

Before you begin

To complete the steps in this document you need the following resources:

• A Kubernetes cluster with Cloud Service Mesh installed.

• An external load balancer that can access the nodes where your cluster isrunning. You will configure this external load balancer to front the ingressgateway of your cluster via theExternal IP Address.

Set up your environment

Run the following commands from a workstation that can access the cluster youintend to use. Make sure that thekubectl tool is configured to use thecluster context specific to your cluster.

1. Set the environment variables.

   exportASM_INGRESSGATEWAY_NAMESPACE=asm-ingressgatewayexportASM_INGRESSGATEWAY_DEPLOYMENT_NAME=asm-ingressgatewayexportASM_INGRESSGATEWAY_SERVICE_NAME=asm-ingressgatewayexportASM_INGRESSGATEWAY_NODE_LABEL=asm-ingressgateway

2. Set theIP address of the external load balancer.

   exportEXTERNAL_LB_IP_ADDRESS=EXTERNAL_LB_IP_ADDRESS

3. [Optional] Label the ingress gateway nodes. This ensures that the gatewaygets deployed to specific nodes in the cluster.

   kubectllabelnodesINGRESSGATEWAY_NODE_IP${ASM_INGRESSGATEWAY_NODE_LABEL}=

   • INGRESSGATEWAY_NODE_IP: is the node(s) in your Kubernetescluster that hosts the ingress gateway. Run thiskubectl command for asmany ingress nodes you have.

Create the ingress gateway

1. Create the namespace. This namespace will be used to deploy the ingressgateway.

   kubectlcreatenamespace${ASM_INGRESSGATEWAY_NAMESPACE}

2. Enable the namespace for injection. The steps depend on your Cloud Service Mesh type (either managed or in-cluster).

   Managed

   1. Use the following command to locate the available release channels:

      kubectl -n istio-system get controlplanerevision

      The output is similar to the following:

      NAME                AGEasm-managed         6d7hasm-managed-rapid   6d7h

      In the output, the value under theNAME column is the revision label that corresponds to the availablerelease channel for the Cloud Service Mesh version.

   2. Apply the revision label to the namespace:

      kubectllabelnamespace${ASM_INGRESSGATEWAY_NAMESPACE}\istio-injection-istio.io/rev=REVISION_LABEL--overwrite

   In-cluster

   1. Use the following command to locate the revision label onistiod:

      kubectl get deploy -n istio-system -l app=istiod -o \  jsonpath={.items[*].metadata.labels.'istio\.io\/rev'}'{"\n"}'

   2. Apply the revision label to the namespace. In the following command,REVISION is the value of theistiod revisionlabel that you noted in the previous step.

      kubectllabelnamespace${ASM_INGRESSGATEWAY_NAMESPACE}\istio-injection-istio.io/rev=REVISION--overwrite

3. Apply theingress gateway manifest file.

   kubectl--namespace${ASM_INGRESSGATEWAY_NAMESPACE}apply--filenamehttps://raw.githubusercontent.com/GoogleCloudPlatform/anthos-service-mesh-samples/main/docs/ingress-gateway-external-lb/ingress-gateway.yaml

   Expected output:

   serviceaccount/asm-ingressgateway createdrole.rbac.authorization.k8s.io/asm-ingressgateway createdrolebinding.rbac.authorization.k8s.io/asm-ingressgateway createddeployment.apps/asm-ingressgateway createdservice/asm-ingressgateway createdpoddisruptionbudget.policy/asm-ingressgateway createdhorizontalpodautoscaler.autoscaling/asm-ingressgateway created

4. Patch theingressgateway service with the external load balancer IP address.

   cat<<EOF >asm-external-ip-patch.yamlspec:externalIPs:-${EXTERNAL_LB_IP_ADDRESS}loadBalancerIP:${EXTERNAL_LB_IP_ADDRESS}EOFkubectl--namespace${ASM_INGRESSGATEWAY_NAMESPACE}patchservice/${ASM_INGRESSGATEWAY_SERVICE_NAME}--patch"$(catasm-external-ip-patch.yaml)"

5. [Optional] Patch theingressgateway deployment for the ingress gatewaynodes label affinity.

   cat<<EOF >asm-ingress-node-label-patch.yamlspec:template:spec:affinity:nodeAffinity:requiredDuringSchedulingIgnoredDuringExecution:nodeSelectorTerms:-matchExpressions:-key:${ASM_INGRESSGATEWAY_NODE_LABEL}operator:ExistsEOFkubectl--namespace${ASM_INGRESSGATEWAY_NAMESPACE}patchdeployment/${ASM_INGRESSGATEWAY_DEPLOYMENT_NAME}--patch"$(catasm-ingress-node-label-patch.yaml)"

Set up the external load balancer

In this section, you will configure the external load balancer to connect withthe ingress gateway from the cluster.

Fetch ingress gatewayService port information

1. Get theNodePorts.

   exportHTTP_INGRESS_PORT=$(kubectl--namespace${ASM_INGRESSGATEWAY_NAMESPACE}getservice/${ASM_INGRESSGATEWAY_SERVICE_NAME}--outputjsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')exportHTTPS_INGRESS_PORT=$(kubectl--namespace${ASM_INGRESSGATEWAY_NAMESPACE}getservice/${ASM_INGRESSGATEWAY_SERVICE_NAME}--outputjsonpath='{.spec.ports[?(@.name=="https")].nodePort}')exportSTATUS_PORT=$(kubectl--namespace${ASM_INGRESSGATEWAY_NAMESPACE}getservice/${ASM_INGRESSGATEWAY_SERVICE_NAME}--outputjsonpath='{.spec.ports[?(@.name=="status-port")].nodePort}')

2. Display theNodePorts.

   echoHTTP_INGRESS_PORT=${HTTP_INGRESS_PORT}echoHTTPS_INGRESS_PORT=${HTTPS_INGRESS_PORT}echoSTATUS_PORT=${STATUS_PORT}

Configure the external load balancer

Use theNodePorts displayed in the previous step to configure connectivitybetween the external load balancer and the ingress gateway.

1. Configure the health check in your load balancer configuration.

   hosts:CLUSTER_NODE_IPProtocol: HTTPPort:STATUS_PORTPath:     /healthz/ready

   • CLUSTER_NODE_IP: is the IP address of the nodes in yourKubernetes cluster that hosts the ingress gateway. This IP address must bereachable from your external load balancer. You may have to set up thisconfiguration multiple times, once per cluster node.

   • STATUS_PORT: is theNodePort via which the ingressgateway's health status API is exposed. You can copy this information fromthe previous step. It will be the same for every node in the cluster.

2. Configure node pools in your load balancer for routingHTTP andHTTPStraffic. Use the followingIP:PORT configuration for traffic on port 80(HTTP) and port 443 (HTTPS).

   80  ->CLUSTER_NODE_IP:HTTP_INGRESS_PORT443 ->CLUSTER_NODE_IP:HTTPS_INGRESS_PORT

   • CLUSTER_NODE_IP: is the IP address of the nodes in yourKubernetes cluster that hosts the ingress gateway. This IP address must bereachable from your external load balancer. You may have to set up thisconfiguration multiple times, once per cluster node.

   • HTTP_INGRESS_PORT: is theNodePort via which theingress gateway's HTTP traffic is exposed. You can copy this informationfrom the previous step. It will be the same for every node in the cluster.

   • HTTPS_INGRESS_PORT: is theNodePort via which theingress gateway's HTTPS traffic is exposed. You can copy this informationfrom the previous step. It will be the same for every node in the cluster.

To verify your set up, ensure that the health checks on your load balancer arepassing.

What's next

• Read more aboutInstalling and upgrading gateways