Gateway API is an open source project managed by the SIG-NETWORK community. The project aims to evolve service networking by providing expressive, extensible, and role-oriented interfaces. You can use Gateway API to define routing rules for accessing applications in a cluster. This topic describes how to use Gateway API to define a routing rule for accessing an application in a cluster.
Prerequisites
A Container Service for Kubernetes (ACK) cluster is added to a Service Mesh (ASM) instance of v1.18 or later. For more information, see Add a cluster to an ASM instance.
An ingress gateway is deployed and ports 80 and 443 are enabled for the ingress gateway. For more information, see Create an ingress gateway.
The httpbin application is deployed. For more information, see Step 1 in Deploy the httpbin application.
Usage notes
ASM supports Gateway API 0.6.0.
In multi-cluster mode, if gateway resources with the same names are configured in the same namespace in two clusters on the data plane, the resources that are applied later overwrite the resources that are previously created.
Step 1: Confirm that CRDs of the Gateway API component are created in the ACK cluster
By default, CustomResourceDefinitions (CRDs) of the Gateway API component are automatically created in ACK clusters whose versions are 1.24 and later. You can perform the following operations to confirm that the CRDs are created in the ACK cluster and the versions of the CRDs are 0.6.0.
Run the following command to check whether the CRDs are created in the ACK cluster:
kubectl get crds | grep gateway.networking.k8s.io
If the expected output is shown as in the following code block, it indicates that the CRDs are created.
gatewayclasses.gateway.networking.k8s.io 2023-05-10T02:51:33Z gateways.gateway.networking.k8s.io 2023-05-10T02:51:33Z httproutes.gateway.networking.k8s.io 2023-05-10T02:51:33Z referencegrants.gateway.networking.k8s.io 2023-05-10T02:51:33Z
Run the following command to check whether the versions of the CRDs are 0.6.0:
kubectl get crds -o yaml | grep 'gateway.networking.k8s.io/bundle-version: v0.6.0'
Expected output:
gateway.networking.k8s.io/bundle-version: v0.6.0 gateway.networking.k8s.io/bundle-version: v0.6.0 gateway.networking.k8s.io/bundle-version: v0.6.0 gateway.networking.k8s.io/bundle-version: v0.6.0
If the output does not contain CRDs of the Gateway API component, log on to the ACK console and install the Gateway API component on the Add-ons page. For more information, see Manage components.
Step 2: Enable Gateway API for the ASM instance
Use kubectl to connect to the ASM instance based on the information in the kubeconfig file, and then add the enableGatewayAPI: true
field to ASMMeshConfig named default.
apiVersion: istio.alibabacloud.com/v1beta1
kind: ASMMeshConfig
metadata:
name: default
spec:
enableGatewayAPI: true
After you specify enableGatewayAPI
as true, the control plane generates CRDs of the Gateway API component. Both the Gateway API component and Istio contain gateway resources. Therefore, conflicts may occur when you use kubectl to run the same command to query the gateway resources of the two. To query the gateway resource of the Gateway API component, run the kubectl get gtw
command. To query the gateway resource of Istio, run the kubectl get gw
command.
Step 3: Configure an HTTP traffic routing rule
The following section describes how to use Gateway API to configure an HTTP traffic routing rule. The routing rule is used to expose the httpbin application on the ingress gateway. You must create a gateway and an HTTPRoute in the ACK cluster.
Create a gateway.
Create a gateway.yaml file that contains the following content.
The configurations in the file indicate that the gateway is applied on the specified ingress gateway and a listener whose
host
is*.aliyun.com
is created. Routing rules of all namespaces are allowed to use the listener. The listener uses port 80 (HTTP). Replace${Name of the ingress gateway}
in the YAML file with the name of the deployed ingress gateway.Use kubectl to connect to the ACK cluster based on the information in the kubeconfig file, and then run the following command to deploy the gateway:
kubectl apply -f gateway.yaml
Create an HTTPRoute.
Create an http-route.yaml file that contains the following content.
The configurations in the file indicate that the routing rule uses the gateway named
gateway
in the istio-system namespace. All listeners of the gateway are used here because you do not specify the name of the listener that you want to use. Requests whose paths are prefixed with/get
are routed to port 8000 of the httpbin application in the same namespace.Use kubectl to connect to the ACK cluster based on the information in the kubeconfig file, and then run the following command to deploy the HTTPRoute:
kubectl apply -f http-route.yaml
Run the following command to access the httpbin application by using the ingress gateway and check whether the HTTP traffic routing rule takes effect:
curl -I -HHost:httpbin.aliyun.com "http://${IP address of the ingress gateway}:80/get"
Expected output:
HTTP/1.1 200 OK server: istio-envoy date: Fri, 12 May 2023 08:16:30 GMT content-type: application/json content-length: 516 access-control-allow-origin: * access-control-allow-credentials: true x-envoy-upstream-service-time: 4
In the preceding output, you can find that
200 OK
is returned. This indicates that the HTTP traffic routing rule takes effect.
Step 4: Configure an HTTPS traffic routing rule
The following section describes how to use Gateway API to configure an HTTPS traffic routing rule, expose the httpbin application on the ingress gateway by using the rule, and perform Transport Level Security (TLS) termination on the ingress gateway. You must create a gateway and an HTTPRoute in the ACK cluster.
Use the certificate management feature of ASM to create a certificate for the a.aliyun.com host to use HTTPS. Set the certificate name to myexample-credential. For more information, see Step 1: Prepare server certificates and private keys for multiple servers.
Create a gateway.
Create a gateway-https.yaml file that contains the following content.
Replace
${Name of the ingress gateway}
in the YAML file with the name of the deployed ingress gateway.Use kubectl to connect to the ACK cluster based on the information in the kubeconfig file, and then run the following command to deploy the gateway:
kubectl apply -f gateway-https.yaml
Create an HTTPRoute.
Create an httpbin-https.yaml file that contains the following content:
Use kubectl to connect to the ACK cluster based on the information in the kubeconfig file, and then run the following command to deploy the HTTPRoute:
kubectl apply -f httpbin-https.yaml
Run the following command to access the httpbin application by using the ingress gateway and check whether the HTTPS traffic routing rule takes effect:
curl -k -H Host:a.aliyun.com --resolve a.aliyun.com:443:{IP address of the deployed ingress gateway} https://a.aliyun.com/status/418
Expected output:
-=[ teapot ]=- _...._ .' _ _ `. | ."` ^ `". _, \_;`"---"`|// | ;/ \_ _/ `"""`
The output indicates that the HTTPS traffic routing rule takes effect.