An egress gateway allows services that are deployed in Alibaba Cloud Service Mesh (ASM) instances to access external services. This topic describes how to define a custom egress gateway service.

Prerequisites

An ASM instance is created, and a Container Service for Kubernetes (ACK) cluster is added to the ASM instance. For more information, see Create an ASM instance and Add a cluster to an ASM instance.

Procedure

  1. Log on to the ASM console.
  2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
  3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column of the ASM instance.
  4. On the ASM Gateway tab, click Deploy Custom Ingress/Egress Gateway.
  5. In the Deploy Ingress Gateway panel, select istio-system from the Namespace drop-down list and copy the following content to the code editor. Then, click OK.
    Note Custom egress gateway services must be deployed in the istio-system namespace. This way, when you start a custom egress gateway service, the configurations of the custom egress gateway service can be obtained to ensure a successful startup. If you deploy a custom egress gateway service in another namespace, the custom egress gateway service is unavailable in Istio 1.6 or later.
    apiVersion: istio.alibabacloud.com/v1beta1
    kind: IstioGateway
    metadata:
      name: egressgateway
      namespace: istio-system
    spec:
      maxReplicas: 2
      minReplicas: 1
      ports:
        - name: http2
          port: 80
          targetPort: 80
        - name: http-sw
          port: 11800
          targetPort: 11800
        - name: https
          port: 443
          targetPort: 443
        - name: tls
          port: 15443
          targetPort: 15443
    # - name: config-volume-lua
    #  configMapName: lua-libs
    #  mountPath: /var/lib/lua
    # secretVolumes:
    # - name: myexample-customingressgateway-certs
    #   secretName: istio-myexample-customingressgateway-certs
    #   mountPath: /etc/istio/myexample-customingressgateway-certs  
      replicaCount: 1
      resources:
        limits:
          cpu: '2'
          memory: 2G
        requests:
          cpu: 200m
          memory: 256Mi
      runAsRoot: false
      serviceType: ClusterIP
    Table 1. Parameter description
    Parameter Description Default value
    metadata.name The name of the egress gateway service. The generated Kubernetes service and deployment are both named istio-{The value of the metadata.name parameter}. N/A
    metadata.namespace The namespace of the generated Kubernetes service and deployment.
    Notice To ensure that the generated Kubernetes service and deployment are available in Istio 1.6 or later, the namespace must be istio-system.
    istio-system
    clusterIds The IDs of the clusters where you want to deploy the egress gateway service. The value is an array. The clusters must be managed in the current ASM instance. N/A
    cpu.targetAverageUtilization The maximum CPU utilization that is supported by Horizontal Pod Autoscaler (HPA). 80
    env The environment variables of the pod of the egress gateway service. The value is an array. N/A
    maxReplicas The maximum number of replicas to which to scale up. 5
    minReplicas The minimum number of replicas to which to scale down. 1
    ports The ports that are defined for the pod of the egress gateway service. The value is an array. Example:
    • name: status-port port: 15020 targetPort: 15020
    • name: http2 port: 80 targetPort: 80
    • name: https port: 443 targetPort: 0
    • name: tls port: 15443 targetPort: 15443
    N/A
    replicaCount The number of replicas. 1
    resources The resource configuration of the pod of the egress gateway service.
    • limits:
      • cpu: '2'
      • memory: 2G
    • requests:
      • cpu: 200m
      • memory: 256Mi
    configVolumes The information about the ConfigMap volume that is mounted to the pod of the egress gateway service. Example:
    - name: config-volume-lua
      configMapName: lua-libs
      mountPath: /var/lib/lua
    N/A
    secretVolumes The information about the secret volume that is mounted to the pod of the egress gateway service. Example:
    - name: myexample-customingressgateway-c
      secretName: istio-myexample-customingressgateway-certs
      mountPath: /etc/istio/myexample-customingressgateway-certs
    N/A
    serviceType The type of the egress gateway service. Valid values: LoadBalancer, Nodeport, and ClusterIP. ClusterIP
    serviceAnnotations The annotations of the egress gateway service. Example: service.beta.kubernetes.io/alicloud-loadbalancer-address-type: internet. N/A
    serviceLabels The tags of the egress gateway service. N/A
    podAnnotations The annotations of the pod of the egress gateway service. N/A
    rollingMaxSurge The maximum number of pods that are scheduled above the expected number of replicas during a rolling upgrade. The value can be an absolute value or a percentage. "100%"
    rollingMaxUnavailable The maximum number of unavailable pods during a rolling upgrade. The value can be an absolute value or a percentage. "25%"
    overrides Configures distinct settings for specific clusters. This parameter is available when the clusterIds parameter specifies two or more clusters. You can use this parameter when you want to configure specific clusters with settings that are different from the preceding cluster settings. The value is of the MAP type that contains key-value pairs.
    Note
    • key: a cluster ID that is specified in the clusterIds parameter.
    • value: assignments of the serviceAnnotations, resources, and replicaCount parameters.
    N/A

View the details of the custom egress gateway service

After you deploy the custom egress gateway service, you can view the details of the custom egress gateway service and its pod information in the Container Service console.

View the details of the custom egress gateway service

  1. Log on to the ACK console.
  2. In the left-side navigation pane of the ACK console, click Clusters.
  3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
  4. In the left-side navigation pane of the details page, choose Network > Services.
  5. At the top of the Services page, select istio-system from the Namespace drop-down list. You can view the details of the custom egress gateway service in the service list.

View the pod information about the custom egress gateway service

  1. Log on to the ACK console.
  2. In the left-side navigation pane of the ACK console, click Clusters.
  3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
  4. In the left-side navigation pane of the details page, choose Workloads > Pods.
  5. At the top of the Pods page, select istio-system from the Namespace drop-down list. You can view the pod information about the custom egress gateway service in the pod list.