Alibaba Cloud Service Mesh (ASM) allows you to create and manage gateways by using CustomResourceDefinitions (CRDs). This topic describes the CRD fields that define a gateway.
CRD fields
Field | Description | Default value |
---|---|---|
metadata.name | The name of the gateway. The generated Kubernetes Service and Deployment are both named istio-{The value of the metadata.name field}. | - |
metadata.namespace | The namespace where the generated Kubernetes Service and Deployment reside. Important To ensure that the generated Kubernetes Service and Deployment are available when the Istio version is 1.6 or later, the namespace must be istio-system. | istio-system |
clusterIds | The IDs of the clusters in which you want to deploy the ingress gateway. The value is an array. The clusters must be managed in the current ASM instance. | - |
env | The environment variables of the ingress gateway pod. The value is an array. | - |
externalTrafficPolicy | Specifies whether the gateway routes inbound traffic to node-local or cluster-wide endpoints. Valid values: Cluster and Local. | Cluster |
ports | The ports and protocols that are defined for the ingress gateway pod. The value is an array. Examples:
Note In versions earlier than 1.9.7.107, the protocol field must be set to TCP. | - |
replicaCount | The number of pod replicas. | 1 |
configVolumes | The information about the ConfigMap volume that is mounted to the ingress gateway pod. Example:
| - |
resources | The resource configurations of the ingress gateway pod. |
|
secretVolumes | The information about the secret volume that is mounted to the ingress gateway pod. Example:
| - |
serviceType | The type of the ingress gateway. Valid values: LoadBalancer, Nodeport, and ClusterIP. Important If you use a registered cluster on the data plane and the value of this field is set to LoadBalancer, make sure that the cluster supports LoadBalancer Services. Otherwise, ASM gateways may fail to be created. | LoadBalancer |
serviceAnnotations | The annotations of the ingress gateway. Example: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-connection-drain: 'on' service.beta.kubernetes.io/alibaba-cloud-loadbalancer-connection-drain-timeout: '20' Note For more information about common annotations, see Use annotations to configure load balancing. | - |
serviceLabels | The labels of the ingress gateway. | - |
podLabels | The labels of the ingress gateway pod. | - |
podAnnotations | The annotations of the ingress gateway pod. | - |
rollingMaxSurge | The maximum number of pods that are scheduled above the expected number of replicas during a rolling update. The value can be an absolute value or a percentage. | "100%" |
rollingMaxUnavailable | The maximum number of pods that can be unavailable during a rolling update. The value can be an absolute value or a percentage. | "25%" |
overrides | Configures distinct settings for specific clusters. This field is available when the clusterIds field specifies two or more clusters. You can use this field when you want to configure specific clusters with settings that are different from the preceding cluster settings. The value is of the MAP type that contains key-value pairs. Note
| - |
kernel.enabled | Specifies whether to enable custom kernel fields. | false |
kernel.parameters | The kernel fields. The following kernel fields are supported: Note Specific kernel fields that are supported by ASM may become invalid due to the kernel version of a host. If this situation occurs, the ingress gateway pod may report errors. You can run the The values of all the kernel fields must be in the string format. YAML recognizes numbers as numeric values. Therefore, you must enclose each value in double quotation marks ("). Example: net.core.somaxconn: "65535".
| - |
compression.enabled | Specifies whether to enable the compression feature for the ingress gateway. | false |
compression.content_type | The types of data to be compressed, which are indicated by the Content-Type header. Examples:
| - |
compression.disable_on_etag_header |
| false |
compression.min_content_length | The threshold at which compression is triggered. The field value indicates the size of the Content-Length header. | 30 |
compression.remove_accept_encoding_header |
| false |
compression.gzip | The compression format. Currently, only the GZIP format is supported. If you want to enable the compression feature, this field is required. If the default values are used for all the other fields, you must leave this field empty. Example: gzip: {} . | - |
compression.gzip.memory_level | The memory usage level of the zlib library. Valid values: 1 to 9. A larger value of this field results in a higher memory usage but a higher compression speed and a better compression quality. | 5 |
compression.gzip.compression_level | The compression level that is used by the zlib library. Valid values: Note BEST_COMPRESSION indicates the highest compression quality. BEST_SPEED indicates the highest compression speed. The following list describes some compression levels:
| DEFAULT_COMPRESSION |
compression.gzip.compression_strategy | The compression policy that is used by the zlib library. Valid values:
| DEFAULT_STRATEGY |
compression.gzip.window_bits | The window size of the zlib library. Valid values: 9 to 15. | 12 |
compression.gzip.chunk_size | The output buffer size of the zlib library. | 4096 |
hostNetwork | Specifies whether to allow the ingress gateway pod to access the network namespace of the host. Valid values:
| false |
dnsPolicy | The Domain Name System (DNS) policy set for the gateway pod. For more information about DNS policies, see DNS for Services and Pods. | ClusterFirst |
cpu.targetAverageUtilization | The expected CPU utilization when Horizontal Pod Autoscaling (HPA) is enabled. Valid values: 1 to 100. If the CPU utilization exceeds this value, the number of pod replicas increases. If the CPU utilization is less than this value, the number of pod replicas decreases. | - |
memory.targetAverageUtilization | The expected memory usage when HPA is enabled. Valid values: 1 to 100. If the memory usage exceeds this value, the number of pod replicas increases. If the memory usage is less than this value, the number of pod replicas decreases. | - |
maxReplicas | The maximum number of pod replicas that can be scaled to by the HPA feature for the gateway. The value of this field must be a positive integer. | - |
minReplicas | The minimum number of pod replicas that can be scaled to by the HPA feature for the gateway. The value is a positive integer. The minimum value is 1. | - |
nodeSelector | Specifies the label of the node where the gateway pod resides. You can customize the key and value.
| - |
affinity | You can configure the node affinity to schedule the gateway pod to a node. For more information, see Affinity and anti-affinity. | - |
tolerations | You can configure tolerations for the gateway pod to tolerate the taints on a node. For more information, see Taints and Tolerations. | - |
Sample YAML code
apiVersion: istio.alibabacloud.com/v1beta1
kind: IstioGateway
metadata:
name: "myexample-customingressgateway"
namespace: "myexample"
spec:
clusterIds:
- "cluster1Id"
- "cluster2Id"
cpu:
targetAverageUtilization: 80
env:
- name: "envname1"
value: "envvalue1"
externalTrafficPolicy: Local
maxReplicas: 2
minReplicas: 1
ports:
- name: status-port
port: 15020
targetPort: 15020
- name: http2
port: 80
targetPort: 80
- name: https
port: 443
targetPort: 0
- name: tls
port: 15443
targetPort: 15443
replicaCount: 1
resources:
limits:
cpu: '2'
memory: 2G
requests:
cpu: 200m
memory: 256Mi
sds:
enabled: false
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 1024Mi
# secretVolumes:
# - name: myexample-customingressgateway-certs
# secretName: istio-myexample-customingressgateway-certs
# mountPath: /etc/istio/myexample-customingressgateway-certs
serviceType: LoadBalancer
serviceAnnotations:
service.beta.kubernetes.io/alicloud-loadbalancer-address-type: internet
serviceLabels:
serviceLabelKey1: "serviceLabelValue1"
podAnnotations:
podAnnotationsKey1: "podAnnotationsValue1"
rollingMaxSurge: "100%"
rollingMaxUnavailable: "25%"
overrides:
cluster1Id:
replicaCount: 1
resources:
limits:
cpu: '2'
memory: 2G
requests:
cpu: 200m
memory: 256Mi
serviceAnnotations:
service.beta.kubernetes.io/alicloud-loadbalancer-address-type: internet
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-spec: "slb.s1.small"
cluster2Id:
replicaCount: 2
resources:
limits:
cpu: '4'
memory: 4G
requests:
cpu: 400m
memory: 512Mi
serviceAnnotations:
service.beta.kubernetes.io/alicloud-loadbalancer-address-type: internet
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-spec: "slb.s2.small"
Go structs for a gateway
Sample file:
package v1beta1
import (
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
type GatewayType string
type ConfigState string
const (
GatewayTypeIngress GatewayType = "ingress"
GatewayTypeEgress GatewayType = "egress"
)
// IstioGatewaySpec defines the desired state of Istio
// +k8s:openapi-gen=true
type IstioGatewaySpec struct {
// +kubebuilder:validation:Enum=ingress;egress
GatewayType GatewayType `json:"gatewayType,omitempty"`
IstioGatewayBasicConfiguration `json:",inline"`
ClusterIds []string `json:"clusterIds,omitempty"`
clusterId string `json:"clusterId,omitempty"`
Overrides map[string]IstioGatewayBasicConfiguration `json:"overrides,omitempty"`
}
type KernelParameters struct {
NetCoreSoMaxConn *string `json:"net.core.somaxconn,omitempty"`
NetCoreNetdevMaxBacklog *string `json:"net.core.netdev_max_backlog,omitempty"`
NetIpv4TcpRMem *string `json:"net.ipv4.tcp_rmem,omitempty"`
NetIpv4TcpWMem *string `json:"net.ipv4.tcp_wmem,omitempty"`
NetIpv4IpLocalPortRange *string `json:"net.ipv4.ip_local_port_range,omitempty"`
NetIpv4TcpFinTimeout *string `json:"net.ipv4.tcp_fin_timeout,omitempty"`
NetIpv4TcpTwTimeout *string `json:"net.ipv4.tcp_tw_timeout,omitempty"`
NetIpv4TcpTwReuse *string `json:"net.ipv4.tcp_tw_reuse,omitempty"`
NetIpv4TcpTwRecycle *string `json:"net.ipv4.tcp_tw_recycle,omitempty"`
NetIpv4TcpTimestamps *string `json:"net.ipv4.tcp_timestamps,omitempty"`
NetIpv4TcpRetries2 *string `json:"net.ipv4.tcp_retries2,omitempty"`
NetIpv4TcpSlowStartAfterIdle *string `json:"net.ipv4.tcp_slow_start_after_idle,omitempty"`
NetIpv4TcpMaxOrphans *string `json:"net.ipv4.tcp_max_orphans,omitempty"`
NetIpv4TcpMaxSynBacklog *string `json:"net.ipv4.tcp_max_syn_backlog,omitempty"`
NetIpv4TcpNoMetricsSave *string `json:"net.ipv4.tcp_no_metrics_save,omitempty"`
NetIpv4TcpAutocorking *string `json:"net.ipv4.tcp_autocorking,omitempty"`
KernelPrintk *string `json:"kernel.printk,omitempty"`
VmSwappiness *string `json:"vm.swappiness,omitempty"`
}
type KernelConfiguration struct {
Enabled *bool `json:"enabled,omitempty"`
Parameters KernelParameters `json:"parameters,omitempty"`
}
type GzipCompressorConfiguration struct {
MemoryLevel *uint32 `json:"memory_level,omitempty"`
CompressionLevel *string `json:"compression_level,omitempty"`
CompressionStrategy *string `json:"compression_strategy,omitempty"`
WindowBits *uint32 `json:"window_bits,omitempty"`
ChunkSize *uint32 `json:"chunk_size,omitempty"`
}
type CompressorConfiguration struct {
Enabled *bool `json:"enabled,omitempty"`
MinContentLength *uint32 `json:"min_content_length,omitempty"`
ContentType *[]string `json:"content_type,omitempty"`
DisableOnETagHeader *bool `json:"disable_on_etag_header,omitempty"`
RemoveAcceptEncodingHeader *bool `json:"remove_accept_encoding_header,omitempty"`
Gzip *GzipCompressorConfiguration `json:"gzip,omitempty"`
}
type ReadinessProbeConfiguration struct {
FailureThreshold int32 `json:"failureThreshold,omitempty"`
PeriodSeconds int32 `json:"periodSeconds,omitempty"`
SuccessThreshold int32 `json:"successThreshold,omitempty"`
}
// +k8s:openapi-gen=true
type IstioGatewayBasicConfiguration struct {
ReplicaCount int32 `json:"replicaCount,omitempty"`
AutoscaleEnabled bool `json:"autoscaleEnabled,omitempty"`
MinReplicas int32 `json:"minReplicas,omitempty"`
MaxReplicas int32 `json:"maxReplicas,omitempty"`
// +kubebuilder:validation:Enum=ClusterIP;NodePort;LoadBalancer
ServiceType corev1.ServiceType `json:"serviceType,omitempty"`
LoadBalancerIP string `json:"loadBalancerIP,omitempty"`
ExternalTrafficPolicy string `json:"externalTrafficPolicy,omitempty"`
ServiceAnnotations map[string]string `json:"serviceAnnotations,omitempty"`
PodAnnotations map[string]string `json:"podAnnotations,omitempty"`
ServiceLabels map[string]string `json:"serviceLabels,omitempty"`
PodLabels map[string]string `json:"podLabels,omitempty"`
Resources *corev1.ResourceRequirements `json:"resources,omitempty"`
EnvVars []corev1.EnvVar `json:"env,omitempty"`
Ports []corev1.ServicePort `json:"ports,omitempty"`
MeshExpansionPorts []corev1.ServicePort `json:"meshExpansionPorts,omitempty"`
NodeSelector map[string]string `json:"nodeSelector,omitempty"`
ApplicationPorts string `json:"applicationPorts,omitempty"`
RequestedNetworkView string `json:"requestedNetworkView,omitempty"`
Affinity *corev1.Affinity `json:"affinity,omitempty"`
Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
SecretVolumes []SecretVolume `json:"secretVolumes,omitempty"`
ConfigVolumes []ConfigVolume `json:"configVolumes,omitempty"`
RollingMaxSurge *string `json:"rollingMaxSurge,omitempty"`
RollingMaxUnavailable *string `json:"rollingMaxUnavailable,omitempty"`
CPU HpaCPU `json:"cpu,omitempty"`
Memory HpaMemory `json:"memory,omitempty"`
Kernel KernelConfiguration `json:"kernel,omitempty"`
Compressor CompressorConfiguration `json:"compression,omitempty"`
RunAsRoot *bool `json:"runAsRoot,omitempty"`
Lifecycle *corev1.Lifecycle `json:"lifecycle,omitempty"`
ReadinessProbe ReadinessProbeConfiguration `json:"readinessProbe,omitempty"`
HostNetwork *bool `json:"hostNetwork,omitempty"`
DnsPolicy corev1.DNSPolicy `json:"dnsPolicy,omitempty"`
AutoCreateGatewayYaml *bool `json:"autoCreateGatewayYaml,omitempty"`
}
type SecretVolume struct {
Name string `json:"name,omitempty"`
SecretName string `json:"secretName,omitempty"`
MountPath string `json:"mountPath,omitempty"`
}
type ConfigVolume struct {
Name string `json:"name,omitempty"`
ConfigMapName string `json:"configMapName,omitempty"`
MountPath string `json:"mountPath,omitempty"`
}
// +k8s:openapi-gen=true
type HpaCPU struct {
TargetAverageUtilization *int32 `json:"targetAverageUtilization,omitempty"`
}
// +k8s:openapi-gen=true
type HpaMemory struct {
TargetAverageUtilization *int32 `json:"targetAverageUtilization,omitempty"`
}
// +k8s:openapi-gen=true
type IstioGatewayStatus struct {
// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
// Important: Run "operator-sdk generate k8s" to regenerate code after modifying this file
// Add custom validation using kubebuilder tags: https://book.kubebuilder.io/beyond_basics/generating_crd.html
Status ConfigState `json:"Status,omitempty"`
GatewayAddress []string `json:"GatewayAddress,omitempty"`
ClusterIdGatewayAddressMap []GatewayAddress `json:"ClusterIdGatewayAddressMap,omitempty"`
ErrorMessage string `json:"ErrorMessage,omitempty"`
}
// +k8s:openapi-gen=true
type GatewayAddress struct {
IPAddress string `json:"ipAddress,omitempty"`
ClusterId string `json:"clusterId,omitempty"`
}
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// IstioGateway is the Schema for the istiogateways API
// +k8s:openapi-gen=true
// +kubebuilder:subresource:status
type IstioGateway struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec IstioGatewaySpec `json:"spec,omitempty"`
Status IstioGatewayStatus `json:"status,omitempty"`
}
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// IstioGatewayList contains a list of IstioGateway
type IstioGatewayList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []IstioGateway `json:"items"`
}