Use an ASM gateway as an Ingress controller to expose services in a cluster - Alibaba Cloud Service Mesh

Service Mesh (ASM) allows you to use Ingress resources in a managed cluster and specify an ASM gateway as the Ingress controller. This topic describes how to configure Ingress resources in a Container Service for Kubernetes (ACK) cluster and use an ASM gateway as the Ingress controller to expose services in the cluster.

Prerequisites

An ACK cluster is added to an ASM instance of v1.16 or later. For more information, see Add a cluster to an ASM instance.
An ingress gateway is deployed and ports 80 and 443 are exposed. For more information, see Create an ingress gateway service.
The httpbin application is deployed. (However, it does not need to be exposed on the gateway.) For more information, see Deploy the httpbin application.

Limits

If you use an ASM gateway as the Ingress controller, you cannot configure the defaultBackend field in the Ingress. For more information, see Ingress.
Only Ingress APIs of V1 are supported. Before you use an ASM gateway as an Ingress controller, make sure that the version of Ingress APIs on the data plane is V1.

Features

An Ingress is a standard API object of Kubernetes. It is used to manage external access to Kubernetes services. You can configure routing rules in the Ingress to expose HTTP or HTTPS services in the cluster to the outside of the cluster.

ASM allows you to use Ingress resources in a managed cluster and specify an ASM gateway as the Ingress controller. An ASM gateway supports advanced features such as autoscaling, Transport Layer Security (TLS) acceleration, and graceful shutdown of the Server Load Balancer (SLB) instance on the gateway. When an ASM gateway serves as an Ingress controller, you can use multiple observability and security features provided by Service Mesh. An ASM gateway also supports the dynamic loading of certificates. Private keys, server certificates, and root certificates required by TLS can be dynamically configured when the gateway is not restarted.

Step 1: Enable Ingress on the ASM gateway

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.
In the Advanced features section, click Enable Ingress API access. In the Submit message that appears, click OK.

Step 2: Create an Ingress and specify the ASM gateway as the Ingress controller

An Ingress does not support the configuration of listening ports for a gateway. By default, port 80 is used for HTTP and port 443 is used for HTTPS. Therefore, you must enable ports 80 and 443 for listening on the ASM gateway.

Use annotations to specify the Ingress controller

Create a file named ingress.yaml and copy the following content to the file:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: istio
  name: ingress
spec:
  rules:
  - host: httpbin.aliyun.com
    http:
      paths:
      - path: /status
        pathType: Prefix
        backend:
          service:
            name: httpbin
            port:
              number: 8000

Use kubectl to connect to the ACK cluster and run the following command to specify the ASM gateway as the Ingress controller:
```
kubectl apply -f ingress.yaml
```

Use an IngressClass resource to specify the Ingress controller

Create a file named ingress.yaml and copy the following content to the file:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress
spec:
  ingressClassName: istio
  rules:
  - host: httpbin.aliyun.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: httpbin
            port:
              number: 8000

Use kubectl to connect to the ACK cluster and run the following command to specify the ASM gateway as the Ingress controller:
```
kubectl apply -f ingress.yaml
```

Step 3: Use HTTP to access the httpbin service

Run the following command to access the httpbin service:

curl -H 'host: httpbin.aliyun.com'  http://${IP address of the ASM gateway}/status/418

Expected output:

    -=[ teapot ]=-

       _...._
     .'  _ _ `.
    | ."` ^ `". _,
    \_;`"---"`|//
      |       ;/
      \_     _/

The output indicates that the Ingress is used to successfully expose the httpbin application on the ASM gateway.

Step 4: Configure TLS and use HTTPS to access the httpbin service

ASM allows you to configure TLS for an Ingress. The ASM gateway runs in the istio-system namespace. Therefore, the Secret referenced in the Ingress must also reside in the istio-system namespace.

As an Ingress controller, the ASM gateway can dynamically load certificates. Private keys, server certificates, and root certificates required by TLS can be dynamically configured when the gateway is not restarted. The ASM gateway also allows you to mount multiple Secrets to load different certificates. The whole configuration process does not require the gateway pod to be restarted.

The following example describes how to load a certificate. If multiple certificates are required, perform Step 2 and Step 3 to create a Secret and complete automatic certificate loading.

Prepare a server certificate and a private key.
A domain name is accessible only after it has obtained an Internet Content Provider (ICP) filing. In this example, a certificate and a private key are generated for the aliyun.com domain name and saved as the Secret.
- Scenario 1: No certificate and private key available for aliyun.com
  Run the following openssl commands to create certificates and private keys.
  1. Run the following command to create a root certificate and a private key:
```
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=myexample Inc./CN=aliyun.com' -keyout aliyun.root.key -out aliyun.root.crt
```
  2. Run the following commands to generate a certificate and a private key for the server of aliyun.com:
```
openssl req -out aliyun.com.csr -newkey rsa:2048 -nodes -keyout aliyun.com.key -subj "/CN=aliyun.com/O=myexample organization"
openssl x509 -req -days 365 -CA aliyun.root.crt -CAkey aliyun.root.key -set_serial 0 -in aliyun.com.csr -out aliyun.com.crt
```
  3. Use kubectl to connect to the cluster to which the ingress gateway pod belongs based on the information in the KubeConfig file, and run the following command to create a Secret that contains the server certificate and private key in the istio-system namespace:
```
kubectl create -n istio-system secret tls myexample-credential --key=aliyun.com.key --cert=aliyun.com.crt
```
- Scenario 2: A certificate and a private key available for aliyun.com
  1. Name the certificate aliyun.com.crt and the private key aliyun.com.key.
  2. Use kubectl to connect to the cluster to which the ingress gateway pod belongs based on the information in the KubeConfig file, and run the following command to create a Secret that contains the server certificate and private key in the istio-system namespace:
```
kubectl create -n istio-system secret tls myexample-credential --key=aliyun.com.key --cert=aliyun.com.crt
```
Create an Ingress and set the Secret referenced by TLS to the myexample-credential Secret created in Step 1.
1. Create a file named ingress-https.yaml and copy the following content to the file:
```
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress
  annotations:
    kubernetes.io/ingress.class: istio
spec:
  rules:
    - host: httpbin.aliyun.com
      http:
        paths:
          - backend:
              service:
                name: httpbin
                port:
                  number: 8000
            path: /status
            pathType: Prefix
  tls:
    - hosts:
        - httpbin.aliyun.com
      secretName: myexample-credential
```
  Note If you create an Ingress in the ACK console, you can select the Secret of the certificate only from the namespace where the Ingress resides. For example, if you create an Ingress in the default namespace, you can select the corresponding Secret only from the default namespace. Therefore, you need to copy the myexample-credential Secret created in Step 1 to the default namespace to make sure that the Secret can be selected in the ACK console.
2. Use kubectl to connect to the ACK cluster and run the following command to deploy the Ingress:
```
kubectl apply -f ingress-https.yaml
```

Run the following command to access the httpbin service over HTTPS:

curl  -H Host:httpbin.aliyun.com --resolve httpbin.aliyun.com:443:${IP address of the ASM gateway} https://httpbin.aliyun.com:443/status/418 -k

Expected output:

    -=[ teapot ]=-

       _...._
     .'  _ _ `.
    | ."` ^ `". _,
    \_;`"---"`|//
      |       ;/
      \_     _/

The output indicates that the Ingress is used to successfully expose the httpbin application on the ASM gateway.