Alibaba Cloud Service Mesh (ASM) allows you to create a default ingress gateway service for your ASM instance in the console. Alternatively, you can use a Kubernetes custom resource definition (CRD) to create a custom gateway. This topic describes how to define a custom ingress gateway service.

Prerequisites

  • An ASM instance is created. For more information, see Create an ASM instance.
  • An application is deployed in a Container Service for Kubernetes (ACK) cluster that is added to the ASM instance. For more information, see Deploy an application in an ASM instance.
  • Custom ingress gateway services must be deployed in the istio-system namespace. This way, when you start a custom ingress gateway service, the configurations of the custom ingress gateway service can be obtained to ensure a successful startup. If you deploy a custom ingress gateway service in another namespace, the custom ingress gateway service is unavailable in Istio 1.6 or later.

Background information

ASM allows you to create a custom gateway by using a Kubernetes CRD. ASM provides a Kubernetes CRD for which the kind parameter is set to IstioGateway and the apiVersion parameter is set to istio.alibabacloud.com/v1beta1. ASM also provides a controller for the Kubernetes CRD. The controller monitors the changes of the Kubernetes CRD, and updates the service, deployment, and service account of the Kubernetes cluster in which the controller runs.

Deploy a custom ingress gateway service

  1. Create a myexample-customingressgateway.yaml file and add the following code to the YAML file:
    apiVersion: istio.alibabacloud.com/v1beta1
    kind: IstioGateway
    metadata:   
      name: "myexample-customingressgateway"  
      namespace: "istio-system"
    spec:  
      clusterIds:
        - "cluster1Id"
        - "cluster2Id"
      cpu: 
        targetAverageUtilization: 80
      env:
        - name: "envname1"
          value: "envvalue1"
      externalTrafficPolicy: Local
      maxReplicas: 2
      minReplicas: 1  
      ports:  
      - name: status-port    
        port: 15020    
        targetPort: 15020  
      - name: http2    
        port: 80    
        targetPort: 80  
      - name: https    
        port: 443    
        targetPort: 0  
      - name: tls    
        port: 15443    
        targetPort: 15443  
      replicaCount: 1  
      resources:
        limits:
          cpu: '2'
          memory: 2G
        requests:
          cpu: 200m
          memory: 256Mi
      sds:
        enabled: false
        resources:
          requests:
            cpu: 100m
            memory: 128Mi
          limits:
            cpu: 2000m
            memory: 1024Mi
    # - name: config-volume-lua
    #  configMapName: lua-libs
    #  mountPath: /var/lib/lua
    # secretVolumes:
    # - name: myexample-customingressgateway-certs
    #   secretName: istio-myexample-customingressgateway-certs
    #   mountPath: /etc/istio/myexample-customingressgateway-certs
      serviceType: LoadBalancer  
      serviceAnnotations:    
        service.beta.kubernetes.io/alicloud-loadbalancer-address-type: internet  
      serviceLabels:
        serviceLabelKey1: "serviceLabelValue1"
      podAnnotations:
        podAnnotationsKey1: "podAnnotationsValue1"
      rollingMaxSurge: "100%"
      rollingMaxUnavailable: "25%"
      overrides:
        cluster1Id:
          replicaCount: 1 
          resources:
            limits:
              cpu: '2'
              memory: 2G
            requests:
              cpu: 200m
              memory: 256Mi
          serviceAnnotations:    
            service.beta.kubernetes.io/alicloud-loadbalancer-address-type: internet
            service.beta.kubernetes.io/alibaba-cloud-loadbalancer-spec: "slb.s1.small"
        cluster2Id:
          replicaCount: 2
          resources:
            limits:
              cpu: '4'
              memory: 4G
            requests:
              cpu: 400m
              memory: 512Mi
          serviceAnnotations:    
            service.beta.kubernetes.io/alicloud-loadbalancer-address-type: internet
            service.beta.kubernetes.io/alibaba-cloud-loadbalancer-spec: "slb.s2.small"
       hostNetwork: true
       dnsPolicy: "ClusterFirstWithHostNet"
    Table 1. Parameters
    Parameter Description Default value
    metadata.name The name of the ingress gateway service. The generated Kubernetes service and deployment are both named istio-{The value of the metadata.name parameter}. N/A
    metadata.namespace The namespace of the generated Kubernetes service and deployment.
    Notice To ensure that the generated Kubernetes service and deployment are available in Istio 1.6 and later, the namespace must be istio-system.
    istio-system
    clusterIds The IDs of the clusters where you want to deploy the ingress gateway service. The value is an array. The clusters must be managed in the current ASM instance. N/A
    cpu.targetAverageUtilization The maximum CPU utilization that is supported by Horizontal Pod Autoscaler (HPA). 80
    env The environment variables of the pod of the ingress gateway service. The value is an array. N/A
    externalTrafficPolicy Specifies whether the ingress gateway service routes inbound traffic to node-local or cluster-wide endpoints. Valid values: Cluster and Local. Local
    maxReplicas The maximum number of replicas to which to scale up. 5
    minReplicas The minimum number of replicas to which to scale down. 1
    ports The ports that are defined for the pod of the ingress gateway service. The value is an array. Example:
    • name: status-port port: 15020 targetPort: 15020
    • name: http2 port: 80 targetPort: 80
    • name: https port: 443 targetPort: 0
    • name: tls port: 15443 targetPort: 15443
    N/A
    replicaCount The number of replicas. 1
    configVolumes The information about the ConfigMap volume that is mounted to the pod of the ingress gateway service. Example:
    - name: config-volume-lua
      configMapName: lua-libs
      mountPath: /var/lib/lua
    resources The resource configurations of the pod of the ingress gateway service.
    • limits:
      • cpu: '2'
      • memory: 2G
    • requests:
      • cpu: 200m
      • memory: 256Mi
    sds.enabled Specifies whether to enable software-defined storage (SDS). false
    sds.resources The resource configurations of the pod that is used for SDS, provided that SDS is enabled.
    • requests:
      • cpu: 100m
      • memory: 128Mi
    • requests:
      • cpu: 2000m
      • memory: 1024Mi
    secretVolumes The information about the secret volume that is mounted to the pod of the ingress gateway service. Example:
    - name: myexample-customingressgateway-certs 
      secretName: istio-myexample-customingressgateway-certs
      mountPath: /etc/istio/myexample-customingressgateway-certs
    N/A
    serviceType The type of the ingress gateway service. Valid values: LoadBalancer, Nodeport, and ClusterIP. LoadBalancer
    serviceAnnotations The annotations of the ingress gateway service. Example: service.beta.kubernetes.io/alicloud-loadbalancer-address-type: internet.
    Note For more information about common annotations, see Use annotations to configure load balancing.
    N/A
    serviceLabels The labels of the ingress gateway service. N/A
    podAnnotations The annotations of the pod of the ingress gateway service. N/A
    rollingMaxSurge The maximum number of pods that are scheduled above the expected number of replicas during a rolling upgrade. The value can be an absolute value or a percentage. "100%"
    rollingMaxUnavailable The maximum number of unavailable pods during a rolling upgrade. The value can be an absolute value or a percentage. "25%"
    overrides Configures distinct settings for specific clusters. This parameter is available when the clusterIds parameter specifies two or more clusters. You can use this parameter when you want to configure specific clusters with settings that are different from the preceding cluster settings. The value is of the MAP type that contains key-value pairs.
    Note
    • key: a cluster ID that is specified in the clusterIds parameter.
    • value: assignments of the serviceAnnotations, resources, and replicaCount parameters.
    N/A
    kernel.enabled Specifies whether to enable custom kernel parameters. false
    kernel.parameters The kernel parameters. The following kernel parameters are supported:
    Notice

    Specific kernel parameters that are supported by ASM may become invalid due to the kernel version of the host. If the situation occurs, the pod of the ingress gateway service may report errors.

    You can run the kubectl describe pod command to view the errors that are reported by the pod of the ingress gateway service. After you delete invalid parameters, containers can start as expected.

    The values of all the kernel parameters must be of the STRING type. YAML recognizes numbers as numeric values. Therefore, you must enclose each value in double quotation marks ("). Example: net.core.somaxconn: "65535".

    • net.core.somaxconn
    • net.core.netdev_max_backlog
    • net.ipv4.tcp_rmem
    • net.ipv4.tcp_wmem
    • net.ipv4.ip_local_port_range
    • net.ipv4.tcp_fin_timeout
    • net.ipv4.tcp_tw_timeout
    • net.ipv4.tcp_tw_reuse
    • net.ipv4.tcp_tw_recycle
    • net.ipv4.tcp_timestamps
    • net.ipv4.tcp_retries2
    • net.ipv4.tcp_slow_start_after_idle
    • net.ipv4.tcp_max_orphans
    • net.ipv4.tcp_max_syn_backlog
    • net.ipv4.tcp_no_metrics_save
    • net.ipv4.tcp_autocorking
    • kernel.printk
    • vm.swappiness
    N/A
    compression.enabled Specifies whether to enable the compression feature for the ingress gateway service. false
    compression.content_type The Content-Type headers to be compressed. Examples:
    • text/html
    • application/json
    N/A
    compression.disable_on_etag_header

    Specifies whether to disable the compression feature when an HTTP response includes the ETag header. If the parameter is set to true, the compression feature is disabled when the ETag header is included in an HTTP response.

    false
    compression.min_content_length The threshold at which compression is triggered. The parameter value indicates the size of the Content-Length header. 30
    compression.remove_accept_encoding_header
    • Specifies whether to remove the Accept-Encoding header from an HTTP request that is sent by a client before the ingress gateway service forwards the HTTP request to an upstream server. If the parameter is set to true, the Accept-Encoding header is removed from the HTTP request.
    • If the parameter is set to false, the Accept-Encoding header is retained in the HTTP request.
    false
    compression.gzip The compression format. Only the GZIP format is supported. If you want to enable the compression feature, this parameter is required. If the default values are used for all the other parameters, you must specify an empty value for this parameter. Example: gzip: {}. N/A
    compression.gzip.memory_level The memory usage level of the zlib library. Valid values: 1 to 9. A larger value of this parameter results in higher memory usage but a higher compression speed and better compression quality. 5
    compression.gzip.compression_level The compression level that is used by the zlib library. Valid values:
    Note DEFAULT_COMPRESSION is the default compression level. BEST_COMPRESSION indicates the highest compression quality. BEST_SPEED indicates the highest compression speed. <input tabindex="-1" class="dnt" readonly="readonly" value="Do Not Translate">
    • COMPRESSION_LEVEL_1 is equivalent to BEST_SPEED.
    • COMPRESSION_LEVEL_9 is equivalent to BEST_COMPRESSION.
    • COMPRESSION_LEVEL_6 is equivalent to DEFAULT_COMPRESSION.
    • COMPRESSION_LEVEL_1
    • COMPRESSION_LEVEL_2
    • COMPRESSION_LEVEL_3
    • COMPRESSION_LEVEL_4
    • COMPRESSION_LEVEL_5
    • COMPRESSION_LEVEL_6
    • COMPRESSION_LEVEL_7
    • COMPRESSION_LEVEL_8
    • COMPRESSION_LEVEL_9
    • DEFAULT_COMPRESSION
    • BEST_COMPRESSION
    • BEST_SPEED
    DEFAULT_COMPRESSION
    compression.gzip.compression_strategy The compression policy that is used by the zlib library. Valid values:
    • FILTERED
    • FIXED
    • HUFFMAN_ONLY
    • RLE
    DEFAULT_STRATEGY
    compression.gzip.window_bits The window size of the zlib library. Valid values: 9 to 15. 12
    compression.gzip.chunk_size The output buffer size of the zlib library. 4096
    hostNetwork Specifies whether to allow the pod of the ingress gateway service to access the network namespace of the host. If you set the hostNetwork parameter to true, the pod of the ingress gateway service is allowed to access the network namespace of the host. false
    dnsPolicy The Domain Name System (DNS) policy set for the pod of the ingress gateway service. For more information about DNS policies, see DNS for Services and Pods. ClusterFirst
  2. Use the kubectl client to access the kubeconfig file of the ASM instance. For more information, see Use kubectl to connect to an ASM instance.
  3. Create a namespace that is named myexample. For more information, see Create a namespace.
  4. Run the kubectl apply -f myexample-customingressgateway.yaml command on the kubectl client to create a custom ingress gateway service.

View the details of the custom ingress gateway service

After you deploy the custom ingress gateway service, you can view the details of the custom ingress gateway service in the ACK console.

To view the details of the ingress gateway service, perform the following steps:

  1. Log on to the Container Service console.
  2. In the left-side navigation pane of the ACK console, click Clusters.
  3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
  4. In the left-side navigation pane of the details page, choose Network > Services.
  5. At the top of the Services page, select myexample from the Namespace drop-down list.
  6. Click Details in the Actions column of the custom ingress gateway service that you want to view.

To view the pod information about the custom ingress gateway service, perform the following steps:

  1. Log on to the Container Service console.
  2. In the left-side navigation pane of the ACK console, click Clusters.
  3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
  4. In the left-side navigation pane of the details page, choose Workloads > Pods.
  5. At the top of the Pods page, select myexample from the Namespace drop-down list.
  6. Click Details in the Actions column of the pod of the custom ingress gateway service that you want to view.