IPv6 provides a larger address space and higher security compared with IPv4. This topic describes how to create a Service Mesh (ASM) ingress gateway that uses an IPv6 address. This topic also describes how to add an IPv6 address to an existing ingress gateway.
Prerequisites
The cluster is added to the ASM instance. For more information, see Add a cluster to an ASM instance.
Create an ingress gateway that uses an IPv6 address
To create an ingress gateway that uses an IPv6 address, you must add the service.beta.kubernetes.io/alibaba-cloud-loadbalancer-ip-version: "ipv6" annotation to the YAML code.
- Log on to the ASM console. In the left-side navigation pane, choose .
- On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose .
On the Ingress Gateway page, click Create from YAML.
On the Create page, set the Namespace parameter to istio-system, enter the following content in the YAML field, and then click Create.
apiVersion: istio.alibabacloud.com/v1beta1 kind: IstioGateway metadata: name: ingressgateway namespace: istio-system spec: gatewayType: ingress clusterIds: - c808cdd6abd854d5ba6764da5ca2e**** # The ID of the cluster on the data plane. ports: - name: http-0 port: 80 targetPort: 80 protocol: HTTP - name: https-1 port: 443 targetPort: 443 protocol: HTTPS serviceAnnotations: service.beta.kubernetes.io/alicloud-loadbalancer-address-type: internet service.beta.kubernetes.io/alibaba-cloud-loadbalancer-spec: slb.s1.small service.beta.kubernetes.io/alibaba-cloud-loadbalancer-ip-version: "ipv6" replicaCount: 1 resources: limits: cpu: '2' memory: 4G requests: cpu: 200m memory: 256Mi serviceType: LoadBalancer autoCreateGatewayYaml: trueParameter
Description
service.beta.kubernetes.io/alicloud-loadbalancer-address-type
The type of the Server Load Balancer (SLB) instance. Valid values:
internet: an Internet-facing SLB instance
intranet: an internal-facing SLB instance
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-spec
The specifications of the SLB instance. Valid values: slb.s1.small, slb.s2.small, slb.s2.medium, slb.s3.small, slb.s3.medium, and slb.s3.large.
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-ip-version
The version of the IP address used by the SLB instance. In this example, the parameter is set to
ipv6, which indicates that the SLB instance uses an IPv6 address.After the ingress gateway is created, you can view the IPv6 address in the Kubernetes Service column that corresponds to the ingress gateway on the Ingress Gateway page.
Add an IPv6 address to an existing ingress gateway
If you have created an ingress gateway that uses an IPv4 address, you can create an SLB instance to add an IPv6 address to the ingress gateway. After that, the ingress gateway uses both the IPv4 and IPv6 addresses.
Log on to the ACK console and click Clusters in the left-side navigation pane.
On the Clusters page, click the name of a cluster and choose in the left-side navigation pane.
In the upper part of the Services page, set the Namespace parameter to istio-system and click Create Resources in YAML in the upper-right corner.
On the Create page, select Custom from the Sample Template drop-down list, enter the following content in the Template field, and then click Create.
ImportantThe value of the nodePort parameter cannot be the same as an existing port number.
apiVersion: v1 kind: Service metadata: annotations: service.beta.kubernetes.io/alicloud-loadbalancer-address-type: internet service.beta.kubernetes.io/alibaba-cloud-loadbalancer-spec: slb.s1.small service.beta.kubernetes.io/alibaba-cloud-loadbalancer-ip-version: "ipv6" labels: app: istio-ingressgateway asm-system: 'true' istio: ingressgateway name: istio-ingressgateway-2 namespace: istio-system spec: externalTrafficPolicy: Cluster ports: - name: http-0 nodePort: 30544 port: 80 protocol: TCP targetPort: 80 - name: https-2 nodePort: 30682 port: 443 protocol: TCP targetPort: 443 selector: app: istio-ingressgateway asm-system: 'true' istio: ingressgateway provider: asm sessionAffinity: None type: LoadBalancerParameter
Description
service.beta.kubernetes.io/alicloud-loadbalancer-address-type
The type of the SLB instance. Valid values:
internet: an Internet-facing SLB instance
intranet: an internal-facing SLB instance
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-spec
The specifications of the SLB instance. Valid values: slb.s1.small, slb.s2.small, slb.s2.medium, slb.s3.small, slb.s3.medium, and slb.s3.large.
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-ip-version
The version of the IP address used by the SLB instance. In this example, the parameter is set to
ipv6, which indicates that the SLB instance uses an IPv6 address.After the SLB instance is created, the IPv4 and IPv6 addresses of istio-ingressgateway and istio-ingressgateway-2 are displayed in the External Endpoint column on the Services page. The displayed IPv4 and IPv6 addresses are used by the ASM gateway.
FAQ
How do I obtain the original IPv6 address of a client?
Configure an SLB instance that uses an IPv6 address. Enable Proxy Protocol in the Advanced section for listeners of the SLB instance on ports 80 and 443. For more information, see Enable Proxy Protocol for a Layer 4 listener to retrieve client IP addresses.
Create an Envoy filter template.
- Log on to the ASM console. In the left-side navigation pane, choose .
- On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose . On the page that appears, click Create EnvoyFilter Template.
On the Create page, enter a template name, click Add an EnvoyFilter template for specific adapted Istio version, select an Istio version, enter the following content in the YAML code editor, and then click Create.
apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: proxy-protocol namespace: istio-system spec: configPatches: - applyTo: LISTENER patch: operation: MERGE value: listener_filters: - name: envoy.listener.proxy_protocol - name: envoy.listener.tls_inspector workloadSelector: labels: istio: ingressgateway
Apply the Envoy filter template to the ingress gateway so that the ingress gateway supports Proxy Protocol.
On the EnvoyFilter Template page, find the Envoy filter template that you created in the previous step and click Edit template in the Actions column.
On the Edit EnvoyFilter Template page, click the Bind template to workloads tab and click Bind EnvoyFilter to Workloads.
In the Bind EnvoyFilter to Workloads dialog box, set the Namespace parameter to istio-system and the Workload Type parameter to Deployment, click Bind next to the ingress gateway in the Not bound section, and then click OK.
Access a URL that uses an IPv6 address and check the logs of the ingress gateway.
In the sample logs, the value of the
downstream_remote_addressfield indicates the original IPv6 address of the client.{"upstream_cluster":null,"bytes_received":0,"downstream_local_address":"[2400:XXXX:1300::12d1]:80","upstream_service_time":null,"FILTER_CHAIN_NAME":null,"path":"/","x_forwarded_for":"2402:XXXX:1800:af00:0:9671:f00f:314b","upstream_host":null,"bytes_sent":0,"requested_server_name":null,"route_name":null,"response_flags":"NR","start_time":"2022-12-28T06:41:57.796Z","upstream_transport_failure_reason":null,"protocol":"HTTP/1.1","authority":"[2400:XXXX:1300::12d1]","LOCAL_REPLY_BODY":"","duration":0,"method":"GET","downstream_remote_address":"[2402:XXXX:1800:af00:0:9671:f00f:314b]:58272","request_id":"fee2b69a-b755-986b-91e4-5d228c81****","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36","trace_id":null,"authority_for":"[2400:XXXX:1300::12d1]","upstream_local_address":null,"istio_policy_status":null,"response_code":404}