Define a custom ingress gateway service - Ingress Gateway| Alibaba Cloud Documentation Center

Alibaba Cloud Service Mesh (ASM) allows you to create a default ingress gateway service for your ASM instance in the console. Alternatively, you can use a Kubernetes custom resource definition (CRD) to create a custom gateway. This topic describes how to define a custom ingress gateway service.

Prerequisites

An ASM instance is created. For more information, see Create an ASM instance.
An application is deployed in a Container Service for Kubernetes (ACK) cluster that is added to the ASM instance. For more information, see Deploy an application in an ASM instance.
Custom ingress gateway services must be deployed in the istio-system namespace. This way, when you start a custom ingress gateway service, the configurations of the custom ingress gateway service can be obtained to ensure a successful startup. If you deploy a custom ingress gateway service in another namespace, the custom ingress gateway service is unavailable in Istio 1.6 or later.

Background information

ASM allows you to create a custom gateway by using a Kubernetes CRD. ASM provides a Kubernetes CRD for which the kind parameter is set to IstioGateway and the apiVersion parameter is set to istio.alibabacloud.com/v1beta1. ASM also provides a controller for the Kubernetes CRD. The controller monitors the changes of the Kubernetes CRD, and updates the service, deployment, and service account of the Kubernetes cluster in which the controller runs.

Deploy a custom ingress gateway service

Create a myexample-customingressgateway.yaml file and add the following code to the YAML file:

apiVersion: istio.alibabacloud.com/v1beta1
kind: IstioGateway
metadata:   
  name: "myexample-customingressgateway"  
  namespace: "istio-system"
spec:  
  clusterIds:
    - "cluster1Id"
    - "cluster2Id"
  cpu: 
    targetAverageUtilization: 80
  env:
    - name: "envname1"
      value: "envvalue1"
  externalTrafficPolicy: Local
  ports:  
  - name: status-port    
    port: 15020    
    targetPort: 15020  
  - name: http2    
    port: 80    
    targetPort: 80  
  - name: https    
    port: 443    
    targetPort: 0  
  - name: tls    
    port: 15443    
    targetPort: 15443  
  replicaCount: 1  
  resources:
    limits:
      cpu: '2'
      memory: 2G
    requests:
      cpu: 200m
      memory: 256Mi
  sds:
    enabled: false
    resources:
      requests:
        cpu: 100m
        memory: 128Mi
      limits:
        cpu: 2000m
        memory: 1024Mi
# - name: config-volume-lua
#  configMapName: lua-libs
#  mountPath: /var/lib/lua
# secretVolumes:
# - name: myexample-customingressgateway-certs
#   secretName: istio-myexample-customingressgateway-certs
#   mountPath: /etc/istio/myexample-customingressgateway-certs
  serviceType: LoadBalancer  
  serviceAnnotations:    
    service.beta.kubernetes.io/alicloud-loadbalancer-address-type: internet  
  serviceLabels:
    serviceLabelKey1: "serviceLabelValue1"
  podAnnotations:
    podAnnotationsKey1: "podAnnotationsValue1"
  rollingMaxSurge: "100%"
  rollingMaxUnavailable: "25%"
  overrides:
    cluster1Id:
      replicaCount: 1 
      resources:
        limits:
          cpu: '2'
          memory: 2G
        requests:
          cpu: 200m
          memory: 256Mi
      serviceAnnotations:    
        service.beta.kubernetes.io/alicloud-loadbalancer-address-type: internet
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-spec: "slb.s1.small"
    cluster2Id:
      replicaCount: 2
      resources:
        limits:
          cpu: '4'
          memory: 4G
        requests:
          cpu: 400m
          memory: 512Mi
      serviceAnnotations:    
        service.beta.kubernetes.io/alicloud-loadbalancer-address-type: internet
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-spec: "slb.s2.small"
  hostNetwork: true
  dnsPolicy: "ClusterFirstWithHostNet"

Table 1. Parameters
Parameter	Description	Default value
metadata.name	The name of the ingress gateway service. The generated Kubernetes service and deployment are both named istio-{The value of the metadata.name parameter}.	N/A
metadata.namespace	The namespace of the generated Kubernetes service and deployment. Notice To ensure that the generated Kubernetes service and deployment are available in Istio 1.6 and later, the namespace must be istio-system.	istio-system
clusterIds	The IDs of the clusters in which you want to deploy the ingress gateway service. The value is an array. The clusters must be managed in the current ASM instance.	N/A
cpu.targetAverageUtilization	The maximum CPU utilization that is supported by Horizontal Pod Autoscaler (HPA).	80
env	The environment variables of the pod of the ingress gateway service. The value is an array.	N/A
externalTrafficPolicy	Specifies whether the ingress gateway service routes inbound traffic to node-local or cluster-wide endpoints. Valid values: `Cluster` and `Local`.	Local
ports	The ports and protocols that are defined for the pod of the ingress gateway service. The value is an array. Example: `name: http2 port: 80 targetPort: 80 protocol: HTTP2` `name: https port: 443 targetPort: 443 protocol: HTTPS` Note In versions earlier than 1.9.7.107, the protocol attribute field is not specified and must be uniformly set to TCP.	N/A
replicaCount	The number of replicas.	1
configVolumes	The information about the ConfigMap volume that is mounted to the pod of the ingress gateway service. Example: `- name: config-volume-lua configMapName: lua-libs mountPath: /var/lib/lua`
resources	The resource configurations of the pod of the ingress gateway service.	limits: cpu: '2' memory: 2G requests: cpu: 200m memory: 256Mi
sds.enabled	Specifies whether to enable software-defined storage (SDS).	false
sds.resources	The resource configurations of the pod that is used for SDS, provided that SDS is enabled.	requests: cpu: 100m memory: 128Mi requests: cpu: 2000m memory: 1024Mi
secretVolumes	The information about the secret volume that is mounted to the pod of the ingress gateway service. Example: `- name: myexample-customingressgateway-certs secretName: istio-myexample-customingressgateway-certs mountPath: /etc/istio/myexample-customingressgateway-certs`	N/A
serviceType	The type of the ingress gateway service. Valid values: `LoadBalancer`, `Nodeport`, and `ClusterIP`.	LoadBalancer
serviceAnnotations	The annotations of the ingress gateway service. Example: `service.beta.kubernetes.io/alibaba-cloud-loadbalancer-connection-drain: 'on' service.beta.kubernetes.io/alibaba-cloud-loadbalancer-connection-drain-timeout: '20'`. Note For more information about common annotations, see Use annotations to configure load balancing.	N/A
serviceLabels	The labels of the ingress gateway service.	N/A
podAnnotations	The annotations of the pod of the ingress gateway service.	N/A
rollingMaxSurge	The maximum number of pods that are scheduled above the expected number of replicas during a rolling upgrade. The value can be an absolute value or a percentage.	"100%"
rollingMaxUnavailable	The maximum number of unavailable pods during a rolling upgrade. The value can be an absolute value or a percentage.	"25%"
overrides	Configures distinct settings for specific clusters. This parameter is available when the `clusterIds` parameter specifies two or more clusters. You can use this parameter when you want to configure specific clusters with settings that are different from the preceding cluster settings. The value is of the MAP type that contains key-value pairs. Note `key`: a cluster ID that is specified in the `clusterIds` parameter. `value`: assignments of the `serviceAnnotations`, `resources`, and `replicaCount` parameters.	N/A
kernel.enabled	Specifies whether to enable custom kernel parameters.	false
kernel.parameters	The kernel parameters. The following kernel parameters are supported: Notice Specific kernel parameters that are supported by ASM may become invalid due to the kernel version of the host. If the situation occurs, the pod of the ingress gateway service may report errors. You can run the `kubectl describe pod` command to view the errors that are reported by the pod of the ingress gateway service. After you delete invalid parameters, containers can start as expected. The values of all the kernel parameters must be of the STRING type. YAML recognizes numbers as numeric values. Therefore, you must enclose each value in double quotation marks ("). Example: net.core.somaxconn: "65535". `net.core.somaxconn` `net.core.netdev_max_backlog` `net.ipv4.tcp_rmem` `net.ipv4.tcp_wmem` `net.ipv4.ip_local_port_range` `net.ipv4.tcp_fin_timeout` `net.ipv4.tcp_tw_timeout` `net.ipv4.tcp_tw_reuse` `net.ipv4.tcp_tw_recycle` `net.ipv4.tcp_timestamps` `net.ipv4.tcp_retries2` `net.ipv4.tcp_slow_start_after_idle` `net.ipv4.tcp_max_orphans` `net.ipv4.tcp_max_syn_backlog` `net.ipv4.tcp_no_metrics_save` `net.ipv4.tcp_autocorking` `kernel.printk` `vm.swappiness`	N/A
compression.enabled	Specifies whether to enable the compression feature for the ingress gateway service.	false
compression.content_type	The Content-Type headers to be compressed. Examples: `text/html` `application/json`	N/A
compression.disable_on_etag_header	Specifies whether to disable the compression feature when an HTTP response includes the ETag header. If the parameter is set to `true`, the compression feature is disabled when the ETag header is included in an HTTP response.	false
compression.min_content_length	The threshold at which compression is triggered. The parameter value indicates the size of the Content-Length header.	30
compression.remove_accept_encoding_header	Specifies whether to remove the Accept-Encoding header from an HTTP request that is sent by a client before the ingress gateway service forwards the HTTP request to an upstream server. If the parameter is set to `true`, the Accept-Encoding header is removed from the HTTP request. If the parameter is set to `false`, the Accept-Encoding header is retained in the HTTP request.	false
compression.gzip	The compression format. Only the GZIP format is supported. If you want to enable the compression feature, this parameter is required. If the default values are used for all the other parameters, you must specify an empty value for this parameter. Example: `gzip: {}`.	N/A
compression.gzip.memory_level	The memory usage level of the zlib library. Valid values: 1 to 9. A larger value of this parameter results in higher memory usage but a higher compression speed and better compression quality.	5
compression.gzip.compression_level	The compression level that is used by the zlib library. Valid values: Note DEFAULT_COMPRESSION is the default compression level. BEST_COMPRESSION indicates the highest compression quality. BEST_SPEED indicates the highest compression speed. COMPRESSION_LEVEL_1 is equivalent to BEST_SPEED. COMPRESSION_LEVEL_9 is equivalent to BEST_COMPRESSION. COMPRESSION_LEVEL_6 is equivalent to DEFAULT_COMPRESSION. `COMPRESSION_LEVEL_1` `COMPRESSION_LEVEL_2` `COMPRESSION_LEVEL_3` `COMPRESSION_LEVEL_4` `COMPRESSION_LEVEL_5` `COMPRESSION_LEVEL_6` `COMPRESSION_LEVEL_7` `COMPRESSION_LEVEL_8` `COMPRESSION_LEVEL_9` `DEFAULT_COMPRESSION` `BEST_COMPRESSION` `BEST_SPEED`	DEFAULT_COMPRESSION
compression.gzip.compression_strategy	The compression policy that is used by the zlib library. Valid values: `FILTERED` `FIXED` `HUFFMAN_ONLY` `RLE`	DEFAULT_STRATEGY
compression.gzip.window_bits	The window size of the zlib library. Valid values: 9 to 15.	12
compression.gzip.chunk_size	The output buffer size of the zlib library.	4096
hostNetwork	Specifies whether to allow the pod of the ingress gateway service to access the network namespace of the host. If you set the `hostNetwork` parameter to `true`, the pod of the ingress gateway service is allowed to access the network namespace of the host.	false
dnsPolicy	The Domain Name System (DNS) policy set for the pod of the ingress gateway service. For more information about DNS policies, see DNS for Services and Pods.	ClusterFirst

Use the kubectl client to access the kubeconfig file of the ASM instance. For more information, see Use kubectl to connect to an ASM instance.
Create a namespace that is named myexample. For more information, see Create a namespace.
Run the kubectl apply -f myexample-customingressgateway.yaml command on the kubectl client to create a custom ingress gateway service.

View the result

After you deploy the custom ingress gateway service, you can view the details of the custom ingress gateway service in the ACK console.

To view the details of the ingress gateway service, perform the following steps:

Log on to the ACK console.
In the left-side navigation pane of the ACK console, click Clusters.
On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
In the left-side navigation pane of the details page, choose Network > Services
At the top of the Services page, select myexample from the Namespace drop-down list.
Click Details in the Actions column of the custom ingress gateway service that you want to view.

To view the pod information about the custom ingress gateway service, perform the following steps:

Log on to the ACK console.
In the left-side navigation pane of the ACK console, click Clusters.
On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
In the left-side navigation pane of the details page, choose Workloads > Pods.
At the top of the Pods page, select myexample from the Namespace drop-down list.
Click Details in the Actions column of the pod of the custom ingress gateway service that you want to view.