Deploy MSE Gateway with MseIngressConfig on ACK - ACK

MseIngressConfig is a CustomResourceDefinition (CRD) provided by Microservices Engine (MSE) Ingress Controller. It lets you manage the full lifecycle of an MSE cloud-native gateway—creating, reusing, or deleting a gateway—and configure global settings such as IP access control, TLS hardware acceleration, access logging, and distributed tracing, all without restarting the controller.

How it works

MSE Ingress Controller watches MseIngressConfig resources in your cluster and dynamically maintains the corresponding cloud-native gateway. After the gateway is associated with your cluster's API server, its control plane syncs Ingress resource changes and updates routing rules in real time. When the gateway receives a request, it matches the request against Ingress routing rules and forwards traffic to the appropriate backend pod.

The following diagram shows the relationship between the components.

The key components are:

Service: An abstraction of backend services. A service represents a group of replicated pods.
Ingress: Contains reverse proxy rules that route HTTP or HTTPS requests to services based on hostnames and paths.
IngressClass: Declares which Ingress controller implementation handles a set of Ingress resources. Associate an IngressClass with an MseIngressConfig to activate the MSE cloud-native gateway for those Ingress resources.
MseIngressConfig: The CRD that provides gateway configuration—instance specs, network settings, global policies, and Ingress listening scope.
MSE Ingress Controller: The control plane that watches MseIngressConfig resources and coordinates the cloud-native gateway. It does not act as a network data plane.

One MseIngressConfig maps to exactly one MSE cloud-native gateway. To run multiple gateways, create multiple MseIngressConfigs.

MseIngressConfig reference

Full configuration example

apiVersion: mse.alibabacloud.com/v1alpha1
kind: MseIngressConfig
metadata:
  name: test
spec:
  name: mse-ingress
  common:
    pay:
      payType: POSTPAY
    instance:
      spec: 4c8g
      replicas: 3
    network:
      vSwitches:
      - "vsw-1"
      - "vsw-2"
      publicSLBSpec: slb.s2.small
    securityGroupType: normal
  global:
    tls:
      enableHardwareAcceleration: true
    ipAccessControl:
      whitelist:
      - 1.1.XX.XX
      - 2.2.XX.XX
  monitor:
    logging:
      sls:
        reuseProject: "xxx"   # Leave blank to use the default project
    tracing:
      xTrace:
        sampleRate: "100"
  ingress:
    local:
      ingressClass: mse
      watchNamespace: ""      # Leave blank to listen to all namespaces

Parameters

Parameter	Description	Required	Default
`name`	Name of the gateway	No	`mse-ingress`
`common.pay.payType`	Billing method. Only `POSTPAY` (pay-as-you-go) is supported.	No	`POSTPAY`
`common.instance.spec`	Gateway instance size. Valid values: `2c4g`, `4c8g`, `8c16g`, `16c32g`	No	`4c8g`
`common.instance.replicas`	Number of gateway replicas. Valid values: 0–30	No	`3`
`common.network.vSwitches`	Primary and secondary vSwitches. Specify at least one and at most two. If not set, the vSwitch on the node running the MSE Ingress Controller pod is used.	No	None
`common.network.publicSLBSpec`	Specifications for the Internet-facing Server Load Balancer (SLB) instance. Valid values: `slb.s1.small`, `slb.s2.small`, `slb.s2.medium`, `slb.s3.small`, `slb.s3.medium`, `slb.s3.large`	No	`slb.s2.small`
`common.network.privateSLBSpec`	Specifications for the internal-facing SLB instance. Same valid values as `publicSLBSpec`.	No	`slb.s2.small`
`common.securityGroupType`	Security group type. Valid values: `enterprise` (advanced), `normal` (basic)	No	`normal`
`global.tls.enableHardwareAcceleration`	Enable Transport Layer Security (TLS) hardware acceleration to improve HTTPS processing performance.	No	`true`
`global.ipAccessControl.whitelist`	Global IP address whitelist. Accepts individual IPs and CIDR blocks.	No	Not configured
`global.ipAccessControl.blacklist`	Global IP address blacklist. Accepts individual IPs and CIDR blocks.	No	Not configured
`monitor.logging.sls`	Activate Simple Log Service (SLS) access logging. Grant SLS permissions to MSE Ingress Controller before enabling.	No	Disabled
`monitor.logging.sls.reuseProject`	SLS project for access logs. Leave blank to use the default project; specify a project name to use an existing project.	No	Blank (default project)
`monitor.tracing.xTrace`	Enable xTrace tracing analysis. Cannot be enabled together with `openTelemetry`.	No	Disabled
`monitor.tracing.xTrace.sampleRate`	Sampling rate for xTrace, as a string percentage. For example, `"100"` = 100%.	No	`"0"`
`monitor.tracing.openTelemetry`	Enable OpenTelemetry tracing analysis. Cannot be enabled together with `xTrace`.	No	Disabled
`monitor.tracing.openTelemetry.sampleRate`	Sampling rate for OpenTelemetry, as a string percentage.	No	`"100"`
`ingress.local.ingressClass`	IngressClass the gateway listens to. See the table below for valid values.	No	Not configured
`ingress.local.watchNamespace`	Namespace to watch. Leave blank to listen to all namespaces. Only one namespace can be specified.	No	Blank (all namespaces)

`ingress.local.ingressClass` valid values:

Value	Behavior
Not configured	No Ingress resources are listened to.
`mse`	Listens to Ingress resources with IngressClass `mse`.
`""` (empty string)	Listens to all Ingress resources in the cluster.
`nginx`	Listens to Ingress resources with IngressClass `nginx`, or with no IngressClass.
Any other value	Listens to Ingress resources associated with the specified IngressClass.

An IngressClass resource that explicitly references an MseIngressConfig in its spec.parameters takes precedence over the value of ingress.local.ingressClass.

Status

Check the status of an MseIngressConfig:

kubectl get mseingressconfig

Expected output:

NAME   STATUS     MESSAGE
test   Listening

The status progresses in the following order: Pending → Running → Listening.

Status	Description
`Pending`	The cloud-native gateway is being created. Creation takes approximately 3 minutes.
`Running`	The gateway is created and running.
`Listening`	The gateway is running and listening to Ingress resources in the cluster.
`Failed`	The gateway is invalid. Check the `Message` field in the status output for the cause.

Resource tags

MSE cloud-native gateways created or reused by MseIngressConfigs are automatically tagged. View these tags in the basic information section of the MSE console.

Important

Do not edit these tags in the MSE console. Modifying them may disrupt gateway operation.

Tag	Description
`ack.aliyun.com`	Identifies the ACK cluster whose ingress traffic this gateway manages.
`ingress.k8s.alibaba/MseIngressConfig`	Identifies the MseIngressConfig associated with this gateway.
`kubernetes.reused.by.user`	Marks the gateway as reused. Deleting the associated MseIngressConfig does not delete a tagged gateway.

Create an MSE cloud-native gateway

Apply an MseIngressConfig to create the gateway. The following example creates a gateway named mse-ingress with 3 replicas at the 2c4g specification.

apiVersion: mse.alibabacloud.com/v1alpha1
kind: MseIngressConfig
metadata:
  name: test
spec:
  name: mse-ingress
  common:
    instance:
      spec: 2c4g
      replicas: 3

Create an IngressClass resource and link it to the MseIngressConfig.

apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  name: mse
spec:
  controller: mse.alibabacloud.com/ingress
  parameters:
    apiGroup: mse.alibabacloud.com
    kind: MseIngressConfig
    name: test

After applying both resources, Ingress resources with IngressClass mse are processed by the associated cloud-native gateway.

Verify the gateway is running.
```
kubectl get mseingressconfig test
```
The status progresses through Pending → Running → Listening. When the status shows Listening, the gateway is ready.

Reuse an existing MSE cloud-native gateway

To reuse a gateway that already exists, set spec.id to the gateway's ID (in gw-xxx format) and control whether to overwrite its configuration with spec.override.

apiVersion: mse.alibabacloud.com/v1alpha1
kind: MseIngressConfig
metadata:
  name: reuse
spec:
  id: gw-xxxx
  override: false
  ingress:
    local:
      ingressClass: mse

`spec.override` behavior:

`spec.override` value	Effect on Ingress listening options, TLS acceleration, IP access control, and observability	Effect on cluster association
`false`	Existing gateway settings are preserved.	If the gateway is not yet associated with the cluster, automatically associates it and configures `ingressClass` listening. If already associated, original Ingress settings are unchanged.
`true`	Overwrites gateway settings with the values specified in this MseIngressConfig. If a parameter is omitted from the MseIngressConfig, the original setting is cleared.	Associates the gateway with the cluster.

Important

When setting spec.override: true, specify all parameters you want to keep. Parameters omitted from the MseIngressConfig are overwritten and your traffic may be negatively affected.

Delete an MSE cloud-native gateway

Deleting an MseIngressConfig deletes the associated gateway in most cases. The exception is reuse scenarios, where the gateway is preserved.

Run the following command to delete an MseIngressConfig:

kubectl delete mseingressconfig <your-config-name>

Deletion behavior by scenario:

Billing method	Gateway created by MSE Ingress Controller	Gateway reused from the console
Pay-as-you-go	Deleting the MseIngressConfig also deletes the gateway.	Deleting the MseIngressConfig retains the gateway.
Subscription	N/A	Deleting the MseIngressConfig retains the gateway.

Configure IP access control

Allow traffic from specific IPs (whitelist)

The following example allows only the IP address 1.1.XX.XX and the CIDR block 2.0.XX.XX/8 to access the gateway.

apiVersion: mse.alibabacloud.com/v1alpha1
kind: MseIngressConfig
metadata:
  name: test
spec:
  name: mse-ingress
  global:
    ipAccessControl:
      whitelist:
      - 1.1.XX.XX
      - 2.0.XX.XX/8

Block traffic from specific IPs (blacklist)

The following example blocks access from the IP address 1.1.XX.XX and the CIDR block 2.0.XX.XX/8.

apiVersion: mse.alibabacloud.com/v1alpha1
kind: MseIngressConfig
metadata:
  name: test
spec:
  name: mse-ingress
  global:
    ipAccessControl:
      blacklist:
      - 1.1.XX.XX
      - 2.0.XX.XX/8

Activate Simple Log Service

Before activating Simple Log Service (SLS), grant SLS permissions to MSE Ingress Controller for your cluster type:

ACK managed or dedicated cluster: See the "Grant permissions to MSE Ingress Controller in an ACK dedicated cluster" section in Grant permissions to MSE Ingress Controller.
ACK Serverless cluster: See the "Grant permissions to MSE Ingress Controller in an ACK Serverless cluster" section in Grant permissions to MSE Ingress Controller.
ACS cluster: See the "Grant permissions to MSE Ingress Controller in an ACS cluster" section in Grant permissions to MSE Ingress Controller.

The following example configures the gateway to deliver access logs to an SLS project named demo. To use the default project instead, leave reuseProject blank.

apiVersion: mse.alibabacloud.com/v1alpha1
kind: MseIngressConfig
metadata:
  name: test
spec:
  name: mse-ingress
  monitor:
    logging:
      sls:
        reuseProject: "demo"

Activate Managed Service for OpenTelemetry

Configuring Managed Service for OpenTelemetry enables end-to-end distributed tracing to help diagnose and locate production issues.

The following example sets the sampling rate to 100%.

apiVersion: mse.alibabacloud.com/v1alpha1
kind: MseIngressConfig
metadata:
  name: test
spec:
  name: mse-ingress
  monitor:
    tracing:
      xTrace:
        sampleRate: "100"