Define HTTP and HTTPS routing rules with Gateway API - Alibaba Cloud Service Mesh

Gateway API provides expressive, extensible, and role-oriented interfaces for service networking in Kubernetes. In Alibaba Cloud Service Mesh (ASM), you use Gateway API resources -- Gateway and HTTPRoute -- to expose applications running in your cluster through an ingress gateway.

This topic walks you through defining HTTP and HTTPS routing rules that expose the httpbin sample application on an ASM ingress gateway.

How it works

Traffic flows through the following path:

Client request --> Ingress gateway (Gateway resource) --> HTTPRoute --> Backend service (httpbin)

A Gateway resource binds to a pre-deployed ingress gateway and creates a listener on a specified port and hostname pattern.
An HTTPRoute attaches to the Gateway and routes matching requests to a backend service.

Unlike upstream Istio, where a Gateway resource automatically provisions a data plane, ASM requires you to bind the Gateway to a pre-deployed ingress gateway through the spec.addresses field. This enables resource reuse and centralized management across clusters.

Version compatibility

ASM version	Gateway API version	Notes
v1.18	v0.6.0	Initial support
v1.22 and later	v1.1	Adds GRPCRoute support

In multi-cluster mode, gateway resources with the same name in the same namespace across two data plane clusters overwrite each other. The last-applied resource takes precedence.

Prerequisites

Before you begin, make sure that you have:

An ASM instance of v1.18 or later with a Container Service for Kubernetes (ACK) cluster added. For more information, see Add a cluster to an ASM instance
An ingress gateway deployed with ports 80 and 443 enabled. For more information, see Create an ingress gateway
The httpbin application deployed. For more information, see Step 1 in Deploy the httpbin application

Step 1: Verify that Gateway API CRDs exist in the ACK cluster

ACK clusters v1.24 and later automatically include Gateway API CustomResourceDefinitions (CRDs). Verify that the CRDs exist and check their versions.

Check whether the CRDs exist: If the CRDs are present, the output resembles the following:

   kubectl get crds | grep gateway.networking.k8s.io

   gatewayclasses.gateway.networking.k8s.io                         2023-05-10T02:51:33Z
   gateways.gateway.networking.k8s.io                               2023-05-10T02:51:33Z
   httproutes.gateway.networking.k8s.io                             2023-05-10T02:51:33Z
   referencegrants.gateway.networking.k8s.io                        2023-05-10T02:51:33Z

Verify the CRD bundle version: Expected output:

   kubectl get crds -o yaml | grep 'gateway.networking.k8s.io/bundle-version'

   gateway.networking.k8s.io/bundle-version: v0.6.0
   gateway.networking.k8s.io/bundle-version: v0.6.0
   gateway.networking.k8s.io/bundle-version: v0.6.0
   gateway.networking.k8s.io/bundle-version: v0.6.0

If the CRDs are missing, install the Gateway API component from the Add-ons page in the ACK console. For more information, see Manage components.

Step 2: Enable Gateway API for the ASM instance

Connect to the ASM instance with kubectl using its kubeconfig file, then set enableGatewayAPI to true in the ASMMeshConfig resource:

apiVersion: istio.alibabacloud.com/v1beta1
kind: ASMMeshConfig
metadata:
  name: default
spec:
  enableGatewayAPI: true

After you apply this configuration, the ASM control plane generates the corresponding Gateway API CRDs.

Important

Both Gateway API and Istio define a resource called "gateway." To avoid conflicts when querying:

Gateway API gateway: kubectl get gtw
Istio gateway: kubectl get gw

Step 3: Configure an HTTP routing rule

Create a Gateway and an HTTPRoute in the ACK cluster to expose the httpbin application over HTTP through the ingress gateway.

Apply the following YAML to the ACK cluster. Replace <ingress-gateway-name> with the name of your deployed ingress gateway.

apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: gateway
  namespace: istio-system
spec:
  addresses:
  - type: Hostname
    value: istio-<ingress-gateway-name>.istio-system.svc.cluster.local  # Binds to the pre-deployed ingress gateway
  gatewayClassName: istio
  listeners:
  - name: default
    hostname: '*.aliyun.com'   # To match all hosts, omit this field. A wildcard (*) alone is not allowed.
    port: 80
    protocol: HTTP
    allowedRoutes:
      namespaces:
        from: All              # Allows HTTPRoutes from any namespace to attach
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
  name: http
  namespace: default
spec:
  parentRefs:
  - name: gateway
    namespace: istio-system     # Attaches to the Gateway created above
  hostnames: ["*.aliyun.com"]
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /get
    backendRefs:
    - name: httpbin              # Routes to the httpbin service in the same namespace
      port: 8000

Save the content as gateway-http.yaml and apply it:

kubectl apply -f gateway-http.yaml

Key fields

Field	Description
`spec.addresses`	Specifies which ingress gateway this Gateway binds to. ASM requires you to bind to a pre-deployed ingress gateway rather than provisioning one automatically. This enables resource reuse and centralized management.
`spec.listeners[].hostname`	Filters requests by host. Set to a specific domain or wildcard pattern. Omit the field entirely to match all hosts.
`spec.listeners[].allowedRoutes`	Controls which namespaces can attach routes to this listener. `from: All` permits routes from any namespace.
`parentRefs`	Attaches the HTTPRoute to one or more Gateways. If no listener name is specified, the route attaches to all compatible listeners.
`backendRefs`	Specifies the destination service and port for matched requests. By default, only services in the same namespace can be referenced. To reference services in other namespaces, configure a ReferenceGrant.

Verify the HTTP routing rule

Send a request through the ingress gateway:

curl -I -HHost:httpbin.aliyun.com "http://<ingress-gateway-ip>:80/get"

Replace <ingress-gateway-ip> with the IP address of your ingress gateway.

Expected output:

HTTP/1.1 200 OK
server: istio-envoy
date: Fri, 12 May 2023 08:16:30 GMT
content-type: application/json
content-length: 516
access-control-allow-origin: *
access-control-allow-credentials: true
x-envoy-upstream-service-time: 4

A 200 OK response confirms that the HTTP routing rule is working.

Step 4: Configure an HTTPS routing rule with TLS termination

Create a Gateway and HTTPRoute that expose the httpbin application over HTTPS. TLS terminates at the ingress gateway, so backend traffic remains unencrypted.

Prepare a TLS certificate

Use the ASM certificate management feature to create a certificate for the host a.aliyun.com. Set the certificate name to myexample-credential. For more information, see Prepare server certificates and private keys.

Create the HTTPS Gateway and HTTPRoute

Apply the following YAML to the ACK cluster. Replace <ingress-gateway-name> with the name of your deployed ingress gateway.

apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: gateway-https
  namespace: istio-system
spec:
  addresses:
  - type: Hostname
    value: istio-<ingress-gateway-name>.istio-system.svc.cluster.local
  gatewayClassName: istio
  listeners:
  - name: https
    hostname: "*.aliyun.com"
    port: 443
    protocol: HTTPS
    tls:
      mode: Terminate              # TLS terminates at the ingress gateway
      certificateRefs:
      - name: myexample-credential # References the certificate created above
    allowedRoutes:
      namespaces:
        from: All
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
  name: httpbin-https
  namespace: default
spec:
  parentRefs:
  - name: gateway-https
    namespace: istio-system
  hostnames: ["*.aliyun.com"]
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /status
    - path:
        type: PathPrefix
        value: /delay
    backendRefs:
    - name: httpbin
      port: 8000

Save the content as gateway-https.yaml and apply it:

kubectl apply -f gateway-https.yaml

Verify the HTTPS routing rule

Send an HTTPS request through the ingress gateway:

curl -k -H Host:a.aliyun.com \
  --resolve a.aliyun.com:443:<ingress-gateway-ip> \
  https://a.aliyun.com/status/418

Replace <ingress-gateway-ip> with the IP address of your deployed ingress gateway.

Expected output:

-=[ teapot ]=-

       _...._
     .'  _ _ `.
    | ."` ^ `". _,
    \_;`"---"`|//
      |       ;/
      \_     _/
        `"""`

The teapot response (HTTP 418) confirms that the HTTPS routing rule and TLS termination are working.

Differences from Istio APIs

If you are migrating from Istio VirtualService and Gateway resources, the following differences apply:

Aspect	Istio API	Gateway API
Gateway behavior	Configures an existing gateway deployment	In upstream Istio, both configures and deploys a gateway. In ASM, binds to a pre-deployed ingress gateway through `spec.addresses`.
Protocol routing	All protocols configured in a single VirtualService	Each protocol has its own resource type: HTTPRoute, GRPCRoute, TCPRoute
Resource query command	`kubectl get gw`	`kubectl get gtw`
Cross-namespace routing	Configured directly in VirtualService	Requires a ReferenceGrant for cross-namespace backend references

Placeholder reference

Replace the following placeholders in the examples with your actual values:

Placeholder	Description	Example
`<ingress-gateway-name>`	Name of your deployed ingress gateway	ingressgateway
`<ingress-gateway-ip>`	IP address of your ingress gateway	47.95.XX.XX