When multiple ingress gateways front different Classic Load Balancer (CLB) instances but require the same listener settings, configuring each gateway separately creates duplication and drift risk. In Service Mesh (ASM), you can assign a shared label to multiple ingress gateway deployments and set the same label in a single Gateway resource's spec.selector. This lets one Istio gateway configuration serve all matching ingress gateways.
This topic describes how to add a shared label to ingress gateways and configure the Gateway selector so that a single Istio gateway applies to multiple ingress gateways.
How gateway selectors work
A Gateway resource uses spec.selector to match labels on ingress gateway pods. Every ingress gateway whose pods carry a matching label receives that Gateway configuration.
For example, if two ingress gateway deployments both carry the label key1: value1, a Gateway with selector: {key1: value1} applies to both:
DNS A records (xxx.xxx.cn)
|-- CLB instance 1 --> Ingress gateway 1 --\
| +--> Gateway (selector: key1: value1) --> VirtualService
\-- CLB instance 2 --> Ingress gateway 2 --/A Gateway resource only configures proxies to listen on specific ports (Layer 4-6). It does not define Layer 7 routing rules. To route traffic to backend services, bind the gateway to a virtual service. For reference details, see Istio Gateway and VirtualService.
Prerequisites
Before you begin, make sure that you have:
An ASM instance of v1.13.4.46 or later. See Create an ASM instance
A cluster added to the ASM instance. See Add a cluster to an ASM instance
At least two ingress gateways deployed. See Create an ingress gateway
An application deployed in the ASM instance. See Deploy an application in an ASM instance
Step 1: Add a shared label to each ingress gateway
Add the same label to every ingress gateway that should share the Istio gateway.
Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance.
In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.
On the Ingress Gateway page, find the first ingress gateway and click YAML.
In the Edit dialog box, add the
podLabelsfield underspecand click OK.... spec: podLabels: key1: value1 ...Repeat steps 4-5 for each additional ingress gateway that should share the same Istio gateway.
Verify the labels
Run the following command to confirm that each ingress gateway's pods carry the expected label:
kubectl get pods -n istio-system --show-labels | grep <ingress-gateway-name>Replace <ingress-gateway-name> with the name of your ingress gateway deployment. The output should include key1=value1 in the labels column. Example output:
ingress-gateway-1-xxx 1/1 Running 0 2d app=istio-ingressgateway,key1=value1,...Step 2: Configure the Gateway selector
Point the Istio gateway at the labeled ingress gateways by setting spec.selector to the same label.
On the details page of the ASM instance, choose ASM Gateways > Gateway in the left-side navigation pane.
On the Gateway page, find the target Istio gateway and click YAML in the Actions column.
In the Edit dialog box, set the
selectorfield to match the label added in Step 1, and click OK. Because both ingress gateways now carrykey1: value1, this single Gateway resource applies to both.apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: bookinfo-gateway namespace: default spec: selector: key1: value1 servers: - hosts: - '*' port: name: http number: 80 protocol: HTTP
Verify the Gateway binding
Run the following command to confirm that the Gateway resource is configured correctly:
kubectl get gateway bookinfo-gateway -n default -o yamlVerify that spec.selector shows key1: value1 and spec.servers lists the expected port and protocol. Example output:
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: bookinfo-gateway
namespace: default
spec:
selector:
key1: value1
servers:
- hosts:
- '*'
port:
name: http
number: 80
protocol: HTTPWhat to do next
A Gateway resource only configures the listener. To route traffic to backend services, create a virtual service that references this gateway. See Manage virtual services.
For details on Gateway and ingress gateway CRD fields, see CRD fields for an ASM gateway.