When you manage ingress traffic in Service Mesh (ASM), you can choose between Istio-native resources (Gateway + VirtualService) and the Kubernetes Gateway API. Gateway API is a vendor-neutral standard managed by the SIG-NETWORK community that provides a more expressive, extensible resource model for routing.
This topic walks you through creating Gateway and HTTPRoute resources to expose the httpbin sample application through an ASM ingress gateway over HTTP and HTTPS.
How Gateway API differs from Istio APIs
If you already use Istio VirtualService and Gateway resources, the following table highlights key differences:
| Dimension | Istio Gateway + VirtualService | Gateway API (Gateway + HTTPRoute) |
|---|---|---|
| Resource model | Gateway configures a gateway deployment. VirtualService handles all protocols in one resource. | Gateway configures the gateway. Each protocol has its own route type (HTTPRoute, GRPCRoute). |
| Portability | Istio-specific API | Vendor-neutral Kubernetes standard |
| Shorthand | kubectl get gw | kubectl get gtw |
Both Istio and Gateway API define a resource called "gateway." To avoid conflicts when querying, usekubectl get gtwfor Gateway API gateways andkubectl get gwfor Istio gateways.
Version compatibility
| ASM version | Gateway API version | Additional support |
|---|---|---|
| v1.18 | v0.6.0 | -- |
| v1.22 and later | v1.1 | GRPCRoute |
| v1.24 and later | v1.2.0 | -- |
In multi-cluster mode, if two data plane clusters contain Gateway resources with the same name in the same namespace, the resource applied later overwrites the earlier one.
Prerequisites
Before you begin, make sure that you have:
An ACK cluster added to an ASM instance of v1.18 or later. For more information, see Add a cluster to an ASM instance
An ingress gateway with ports 80 and 443 enabled. For more information, see Create an ingress gateway
The httpbin application deployed. For more information, see Step 1 in Deploy the httpbin application
Verify Gateway API CRDs in your ACK cluster
ACK clusters v1.24 and later automatically create Gateway API CustomResourceDefinitions (CRDs). Confirm that the CRDs exist:
kubectl get crds | grep gateway.networking.k8s.ioIf the CRDs exist, the output resembles:
gatewayclasses.gateway.networking.k8s.io 2023-05-10T02:51:33Z
gateways.gateway.networking.k8s.io 2023-05-10T02:51:33Z
httproutes.gateway.networking.k8s.io 2023-05-10T02:51:33Z
referencegrants.gateway.networking.k8s.io 2023-05-10T02:51:33ZCheck the CRD bundle version:
kubectl get crds -o yaml | grep 'gateway.networking.k8s.io/bundle-version'Expected output:
gateway.networking.k8s.io/bundle-version: v0.6.0
gateway.networking.k8s.io/bundle-version: v0.6.0
gateway.networking.k8s.io/bundle-version: v0.6.0
gateway.networking.k8s.io/bundle-version: v0.6.0If the output does not include these CRDs, install the Gateway API component from the Add-ons page in the ACK console. For more information, see Manage components.
Enable Gateway API in ASM
Connect to your ASM instance with kubectl using the ASM kubeconfig, then set enableGatewayAPI to true in the ASMMeshConfig resource named default:
apiVersion: istio.alibabacloud.com/v1beta1
kind: ASMMeshConfig
metadata:
name: default
spec:
enableGatewayAPI: trueSave this YAML to a file (for example, asmmeshconfig.yaml) and apply it:
kubectl apply -f asmmeshconfig.yamlAfter you set enableGatewayAPI to true, the control plane generates CRDs of the Gateway API component.
Configure an HTTP routing rule
Create a Gateway and an HTTPRoute in your ACK cluster to expose the httpbin application over HTTP through the ingress gateway.
Create the Gateway
The following Gateway binds to your ingress gateway, creates a listener on port 80 (HTTP) for hosts matching *.aliyun.com, and allows routes from all namespaces.
Replace <ingress-gateway-name> with the name of your deployed ingress gateway.
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
name: gateway
namespace: istio-system
spec:
addresses:
- type: Hostname
value: istio-<ingress-gateway-name>.istio-system.svc.cluster.local
gatewayClassName: istio
listeners:
- name: default
hostname: '*.aliyun.com' # To match all hosts, omit this field. Do not set it to *.
port: 80
protocol: HTTP
allowedRoutes:
namespaces:
from: Allkubectl apply -f gateway.yamlCreate the HTTPRoute
The following HTTPRoute attaches to the Gateway above and routes requests with the path prefix /get to port 8000 of the httpbin service.
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
name: http
namespace: default
spec:
parentRefs:
- name: gateway
namespace: istio-system
hostnames: ["*.aliyun.com"]
rules:
- matches:
- path:
type: PathPrefix
value: /get
backendRefs:
- name: httpbin
port: 8000By default, an HTTPRoute can only reference Services in the same namespace. To route to Services in other namespaces, configure a ReferenceGrant.
kubectl apply -f http-route.yamlVerify the HTTP routing rule
Run the following command to access the httpbin application through the ingress gateway and check whether the HTTP routing rule takes effect. Replace <ingress-gateway-ip> with the IP address of the ingress gateway.
curl -I -HHost:httpbin.aliyun.com "http://<ingress-gateway-ip>:80/get"Expected output:
HTTP/1.1 200 OK
server: istio-envoy
date: Fri, 12 May 2023 08:16:30 GMT
content-type: application/json
content-length: 516
access-control-allow-origin: *
access-control-allow-credentials: true
x-envoy-upstream-service-time: 4A 200 OK response confirms that the HTTP routing rule is working.
Configure an HTTPS routing rule with TLS termination
Create a Gateway and an HTTPRoute that expose the httpbin application over HTTPS, with Transport Layer Security (TLS) termination at the ingress gateway.
Prepare a TLS certificate
Create a certificate for the a.aliyun.com host using the ASM certificate management feature. Set the certificate name to myexample-credential. For detailed steps, see Prepare server certificates and private keys.
Create the Gateway
The following Gateway binds to your ingress gateway, creates an HTTPS listener on port 443 for hosts matching *.aliyun.com, and terminates TLS using the myexample-credential certificate.
Replace <ingress-gateway-name> with the name of your deployed ingress gateway.
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
name: gateway-https
namespace: istio-system
spec:
addresses:
- type: Hostname
value: istio-<ingress-gateway-name>.istio-system.svc.cluster.local
gatewayClassName: istio
listeners:
- name: https
hostname: "*.aliyun.com"
port: 443
protocol: HTTPS
tls:
mode: Terminate
certificateRefs:
- name: myexample-credential
allowedRoutes:
namespaces:
from: Allkubectl apply -f gateway-https.yamlCreate the HTTPRoute
The following HTTPRoute attaches to the HTTPS Gateway and routes requests with path prefixes /status or /delay to port 8000 of the httpbin service.
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
name: httpbin-https
namespace: default
spec:
parentRefs:
- name: gateway-https
namespace: istio-system
hostnames: ["*.aliyun.com"]
rules:
- matches:
- path:
type: PathPrefix
value: /status
- path:
type: PathPrefix
value: /delay
backendRefs:
- name: httpbin
port: 8000kubectl apply -f httpbin-https.yamlVerify the HTTPS routing rule
Run the following command to access the httpbin application through the ingress gateway and check whether the HTTPS routing rule takes effect. Replace <ingress-gateway-ip> with the IP address of the deployed ingress gateway.
curl -k -HHost:a.aliyun.com --resolve a.aliyun.com:443:<ingress-gateway-ip> https://a.aliyun.com/status/418Expected output:
-=[ teapot ]=-
_...._
.' _ _ `.
| ."` ^ `". _,
\_;`"---"`|//
| ;/
\_ _/
`"""`The teapot ASCII art (HTTP 418) confirms that the HTTPS routing rule and TLS termination are working.
What to do next
Route gRPC traffic by creating a GRPCRoute resource (requires ASM v1.22 or later).
Enable cross-namespace routing with a ReferenceGrant.