Service Mesh (ASM) provides a CustomResourceDefinition (CRD) API resource whose kind
is IstioGateway
and apiVersion
is istio.alibabacloud.com/v1beta1
. In addition, ASM provides a controller to manage the resource. The controller monitors the changes in the CRD and updates the Service, Deployment, and ServiceAccount of the Kubernetes cluster in which the controller runs. This topic describes the configuration examples and CRD fields for an ASM gateway.
Configuration examples
Prerequisites
A cluster is added to the ASM instance. For more information, see Add a cluster to an ASM instance.
ASM gateways must be deployed in the istio-system namespace. This way, when you start an ASM gateway, the configurations of the ASM gateway can be obtained to ensure a successful startup. If you deploy an ASM gateway in another namespace, the ASM gateway cannot be started up in Istio 1.6 or later due to a failure to obtain the gateway configurations.
Example 1: Create and manage an ingress gateway by using the Kubernetes API
- Log on to the ASM console. In the left-side navigation pane, choose .
- On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose .
On the Ingress Gateway page, click Create from YAML.
On the Create page, enter a name for the ingress gateway in the Name field, select istio-system from the Namespace drop-down list, configure the following fields in the YAML file, and then click Create.
For more information about CRD fields, see CRD fields.
NoteIf you need to use Go Client for Kubernetes to manage the ingress gateway, see Go structs for an ASM gateway.
View the service information of the ingress gateway by performing the following steps:
Log on to the ACK console and click Clusters in the left-side navigation pane.
On the Clusters page, click the name of a cluster and choose in the left-side navigation pane.
In the upper part of the Services page, select istio-system from the Namespace drop-down list.
In the list of services, click the name of the desired ingress gateway to view its service information.
View the pod information of the ingress gateway.
Log on to the ACK console and click Clusters in the left-side navigation pane.
On the Clusters page, click the name of a cluster and choose in the left-side navigation pane.
In the upper part of the Pods page, select istio-system from the Namespace drop-down list.
In the list of pods, find a pod of the ingress gateway and click the pod name to view the pod information.
Example 2: Create and manage an egress gateway by using the Kubernetes API
ASM provides the egress gateway service to route all outbound traffic in the mesh.
- Log on to the ASM console. In the left-side navigation pane, choose .
- On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose .
On the Egress Gateway page, click Create from YAML.
On the Create page, enter a name for the egress gateway in the Name field, select istio-system from the Namespace drop-down list, configure the following fields in the YAML file, and then click Create.
For more information about CRD fields, see CRD fields.
View the service information of the egress gateway by performing the following steps:
Log on to the ACK console and click Clusters in the left-side navigation pane.
On the Clusters page, click the name of a cluster and choose in the left-side navigation pane.
In the upper part of the Services page, select istio-system from the Namespace drop-down list.
In the list of services, click the name of the desired egress gateway to view its service information.
View the pod information of the egress gateway.
Log on to the ACK console and click Clusters in the left-side navigation pane.
On the Clusters page, click the name of a cluster and choose in the left-side navigation pane.
In the upper part of the Pods page, select istio-system from the Namespace drop-down list.
In the list of pods, find a pod of the egress gateway and click the pod name to view the pod information.
CRD fields
Field | Description | Default value |
metadata.name | The name of the ASM gateway. The generated Kubernetes Service and Deployment are both named istio-{The value of the metadata.name field}. | Not supported |
metadata.namespace | The namespace in which the ASM gateway is deployed. The generated Kubernetes Service and Deployment reside in this namespace. Important To ensure that the generated Kubernetes Service and Deployment are available when the Istio version is 1.6 or later, the namespace must be istio-system. | istio-system |
clusterIds | The IDs of the clusters in which you want to deploy the ASM gateway. The value is an array. The clusters must be managed in the current ASM instance. | Not supported |
env | The environment variables of the ASM gateway pod. The value is an array. | Not supported |
externalTrafficPolicy | Specifies whether the gateway routes inbound traffic to node-local or cluster-wide endpoints. Valid values: Cluster or Local. Note This field is available only for ingress gateways. | Cluster |
ports | The ports and protocols that are defined for the ASM gateway pod. The value is an array. Examples:
Note In versions earlier than 1.9.7.107, the protocol field must be set to TCP. | Not supported |
gatewayType | The type of the ASM gateway. Valid values: ingress and egress.
| ingress |
replicaCount | The number of pod replicas. | 1 |
configVolumes | The information about the ConfigMap volume that is mounted to the ASM gateway pod. Example:
| Not supported |
resources | The resource configurations of the ASM gateway pod. |
|
secretVolumes | The information about the secret volume that is mounted to the ASM gateway pod. Example:
| Not supported |
serviceType | The service type of the ASM gateway. Valid values: LoadBalancer, Nodeport, and ClusterIP. For egress gateways, the value of this field is usually set to ClusterIP. Important If you use a registered cluster on the data plane and this field is set to LoadBalancer, make sure that the cluster supports LoadBalancer Services. Otherwise, ASM gateways may fail to be created. | LoadBalancer |
serviceAnnotations | The annotations of the ASM gateway. Example: Note This field is available only for gateways whose serviceType is LoadBalancer. For egress gateways, this field is usually not configured. | Not supported |
serviceLabels | The labels of the ASM gateway. | Not supported |
podLabels | The labels of the ASM gateway pod. | Not supported |
podAnnotations | The annotations of the ASM gateway pod. | Not supported |
rollingMaxSurge | The maximum number of pods that are scheduled above the expected number of replicas during a rolling update. The value can be an absolute value or a percentage. | "100%" |
rollingMaxUnavailable | The maximum number of pods that can be unavailable during a rolling update. The value can be an absolute value or a percentage. | "25%" |
overrides | Configures distinct settings for specific clusters. This field is available when the clusterIds field specifies two or more clusters. You can use this field when you want to configure specific clusters with settings that are different from the preceding cluster settings. The value is of the MAP type that contains key-value pairs. Note
| Not supported |
kernel.enabled | Specifies whether to enable custom kernel fields. | false |
kernel.parameters | The kernel fields. The following kernel fields are supported:
Note Specific kernel fields that are supported by ASM may become invalid due to the kernel version of a host. If this situation occurs, the ASM gateway pod may report errors. You can run the The values of all the kernel fields must be in the string format. YAML recognizes numbers as numeric values. Therefore, you must enclose each value in double quotation marks ("). Example: net.core.somaxconn: "65535". | Not supported |
compression.enabled | Specifies whether to enable the compression feature for an ingress gateway. Note compression-related fields are available only for ingress gateways. | false |
compression.content_type | The types of data to be compressed, which are indicated by the Content-Type header. Examples:
| Not supported |
compression.disable_on_etag_header |
| false |
compression.min_content_length | The threshold at which compression is triggered. The field value indicates the size of the Content-Length header. | 30 |
compression.remove_accept_encoding_header |
| false |
compression.gzip | The compression format. Only the GZIP format is supported. If you want to enable the compression feature, this field is required. If the default values are used for all the other fields, you must leave this field empty. Example: | Not supported |
compression.gzip.memory_level | The memory usage level of the zlib library. Valid values: 1 to 9. A larger value of this field results in a higher memory usage but a higher compression speed and a better compression quality. | 5 |
compression.gzip.compression_level | The compression level that is used by the zlib library. Valid values:
Note BEST_COMPRESSION indicates the highest compression quality. BEST_SPEED indicates the highest compression speed. The following list describes some compression levels:
| DEFAULT_COMPRESSION |
compression.gzip.compression_strategy | The compression policy that is used by the zlib library. Valid values:
| DEFAULT_STRATEGY |
compression.gzip.window_bits | The window size of the zlib library. Valid values: 9 to 15. | 12 |
compression.gzip.chunk_size | The output buffer size of the zlib library. | 4096 |
hostNetwork | Specifies whether to allow the ASM gateway pod to access the network namespace of the host. Valid values:
| false |
dnsPolicy | The Domain Name System (DNS) policy set for the ASM gateway pod. For more information about DNS policies, see DNS for Services and Pods. | ClusterFirst |
cpu.targetAverageUtilization | The expected CPU utilization when HPA is enabled. Valid values: 1 to 100. If the memory usage exceeds this value, the number of pod replicas increases. If the memory usage is less than this value, the number of pod replicas decreases. | Not supported |
memory.targetAverageUtilization | The expected memory usage when HPA is enabled. Valid values: 1 to 100. If the memory usage exceeds this value, the number of pod replicas increases. If the memory usage is less than this value, the number of pod replicas decreases. | Not supported |
maxReplicas | The maximum number of pod replicas that can be scaled to by the HPA feature for the ASM gateway. The value of this field must be a positive integer. | Not supported |
minReplicas | The minimum number of pod replicas that can be scaled to by the HPA feature for the ASM gateway. The value is a positive integer. The minimum value is 1. | Not supported |
nodeSelector | Specifies the label of the node where the ASM gateway pod resides. You can customize the key and value. Example:
| Not supported |
affinity | You can configure the node affinity to schedule the ASM gateway pod to a node. For more information, see Affinity and anti-affinity. | Not supported |
tolerations | You can configure tolerations for the ASM gateway pod to tolerate the taints on a node. For more information, see Taints and Tolerations. | Not supported |
Fields whose changes will cause a rolling restart of the ASM gateway
Changing the following fields will cause a rolling restart of the ASM gateway. Exercise caution when changing these fields.
env
ports (If the version of the ASM instance is earlier than 1.16, changing this field will cause the ASM gateway to restart in a rolling manner. If the version of the ASM instance is 1.16 or later, changing this field will not cause the ASM gateway to restart in a rolling manner.)
configVolumes
resources
secretVolumes
podLabels
podAnnotations
kernel.enabled
kernel.parameters
hostNetwork
dnsPolicy
nodeSelector (subject to scheduling)
affinity (subject to scheduling)
tolerations (subject to scheduling)