Use Gateway API to define a routing rule - Alibaba Cloud Service Mesh

Gateway API is an open source project managed by the SIG-NETWORK community. The project aims to evolve service networking by providing expressive, extensible, and role-oriented interfaces. You can use Gateway API to define routing rules for accessing applications in a cluster. This topic describes how to use Gateway API to define a routing rule for accessing an application in a cluster.

Prerequisites

A Container Service for Kubernetes (ACK) cluster is added to a Service Mesh (ASM) instance of v1.18 or later. For more information, see Add a cluster to an ASM instance.
An ingress gateway is deployed and ports 80 and 443 are enabled for the ingress gateway. For more information, see Create an ingress gateway.
The httpbin application is deployed. For more information, see Step 1 in Deploy the httpbin application.

Usage notes

ASM supports Gateway API 0.6.0.
In multi-cluster mode, if gateway resources with the same names are configured in the same namespace in two clusters on the data plane, the resources that are applied later overwrite the resources that are previously created.

Step 1: Confirm that CRDs of the Gateway API component are created in the ACK cluster

By default, CustomResourceDefinitions (CRDs) of the Gateway API component are automatically created in ACK clusters whose versions are 1.24 and later. You can perform the following operations to confirm that the CRDs are created in the ACK cluster and the versions of the CRDs are 0.6.0.

Run the following command to check whether the CRDs are created in the ACK cluster:

kubectl get crds | grep gateway.networking.k8s.io

If the expected output is shown as in the following code block, it indicates that the CRDs are created.

gatewayclasses.gateway.networking.k8s.io                         2023-05-10T02:51:33Z
gateways.gateway.networking.k8s.io                               2023-05-10T02:51:33Z
httproutes.gateway.networking.k8s.io                             2023-05-10T02:51:33Z
referencegrants.gateway.networking.k8s.io                        2023-05-10T02:51:33Z

Run the following command to check whether the versions of the CRDs are 0.6.0:

kubectl get crds -o yaml | grep 'gateway.networking.k8s.io/bundle-version: v0.6.0'

Expected output:

gateway.networking.k8s.io/bundle-version: v0.6.0
gateway.networking.k8s.io/bundle-version: v0.6.0
gateway.networking.k8s.io/bundle-version: v0.6.0
gateway.networking.k8s.io/bundle-version: v0.6.0

If the output does not contain CRDs of the Gateway API component, log on to the ACK console and install the Gateway API component on the Add-ons page. For more information, see Manage components.

Step 2: Enable Gateway API for the ASM instance

Use kubectl to connect to the ASM instance based on the information in the kubeconfig file, and then add the enableGatewayAPI: true field to ASMMeshConfig named default.

apiVersion: istio.alibabacloud.com/v1beta1
kind: ASMMeshConfig
metadata:
  name: default
spec:
  enableGatewayAPI: true

After you specify enableGatewayAPI as true, the control plane generates CRDs of the Gateway API component. Both the Gateway API component and Istio contain gateway resources. Therefore, conflicts may occur when you use kubectl to run the same command to query the gateway resources of the two. To query the gateway resource of the Gateway API component, run the kubectl get gtw command. To query the gateway resource of Istio, run the kubectl get gw command.

Step 3: Configure an HTTP traffic routing rule

The following section describes how to use Gateway API to configure an HTTP traffic routing rule. The routing rule is used to expose the httpbin application on the ingress gateway. You must create a gateway and an HTTPRoute in the ACK cluster.

Create a gateway.

Create a gateway.yaml file that contains the following content.

The configurations in the file indicate that the gateway is applied on the specified ingress gateway and a listener whose host is *.aliyun.com is created. Routing rules of all namespaces are allowed to use the listener. The listener uses port 80 (HTTP). Replace ${Name of the ingress gateway} in the YAML file with the name of the deployed ingress gateway.

Show the gateway.yaml file

apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: gateway
  namespace: istio-system
spec:
  addresses:  # Specifies the ingress gateways on which the gateway is applied.  
  - type: Hostname
    value: istio-${Name of the ingress gateway}.istio-system.svc.cluster.local
  gatewayClassName: istio
  listeners:
  - allowedRoutes:
      namespaces:
        from: All
    hostname: '*.aliyun.com'  # You cannot specify this parameter as an asterisk (*) to match all hosts. If you want to match all hosts, leave this field empty. 
    name: default
    port: 80
    protocol: HTTP

Use kubectl to connect to the ACK cluster based on the information in the kubeconfig file, and then run the following command to deploy the gateway:
```
kubectl apply -f gateway.yaml
```

Create an HTTPRoute.

Create an http-route.yaml file that contains the following content.

The configurations in the file indicate that the routing rule uses the gateway named gateway in the istio-system namespace. All listeners of the gateway are used here because you do not specify the name of the listener that you want to use. Requests whose paths are prefixed with /get are routed to port 8000 of the httpbin application in the same namespace.

Show the http-route.yaml file

apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
  name: http
  namespace: default
spec:
  parentRefs:  # The route can be attached to different gateways. 
  - name: gateway
    namespace: istio-system
  hostnames: ["*.aliyun.com"]
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /get
    backendRefs:  # By default, only services in the same namespace can be referenced. If you want to use services in different namespaces, configure ReferenceGrant. https://gateway-api.sigs.k8s.io/api-types/referencegrant/
    - name: httpbin 
      port: 8000

Use kubectl to connect to the ACK cluster based on the information in the kubeconfig file, and then run the following command to deploy the HTTPRoute:
```
kubectl apply -f http-route.yaml
```

Run the following command to access the httpbin application by using the ingress gateway and check whether the HTTP traffic routing rule takes effect:

curl -I -HHost:httpbin.aliyun.com "http://${IP address of the ingress gateway}:80/get"

Expected output:

HTTP/1.1 200 OK
server: istio-envoy
date: Fri, 12 May 2023 08:16:30 GMT
content-type: application/json
content-length: 516
access-control-allow-origin: *
access-control-allow-credentials: true
x-envoy-upstream-service-time: 4

In the preceding output, you can find that 200 OK is returned. This indicates that the HTTP traffic routing rule takes effect.

Step 4: Configure an HTTPS traffic routing rule

The following section describes how to use Gateway API to configure an HTTPS traffic routing rule, expose the httpbin application on the ingress gateway by using the rule, and perform Transport Level Security (TLS) termination on the ingress gateway. You must create a gateway and an HTTPRoute in the ACK cluster.

Use the certificate management feature of ASM to create a certificate for the a.aliyun.com host to use HTTPS. Set the certificate name to myexample-credential. For more information, see Step 1: Prepare server certificates and private keys for multiple servers.

Create a gateway.

Create a gateway-https.yaml file that contains the following content.

Replace ${Name of the ingress gateway} in the YAML file with the name of the deployed ingress gateway.

Show the gateway-https.yaml file

apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: gateway-https
  namespace: istio-system
spec:
  addresses:  # Specifies the ingress gateways on which the gateway is applied. 
  - type: Hostname
    value: istio-${Name of the ingress gateway}.istio-system.svc.cluster.local
  gatewayClassName: istio
  listeners:
  - name: https
    hostname: "*.aliyun.com"
    port: 443
    protocol: HTTPS
    tls:
      mode: Terminate
      certificateRefs:
      - name: myexample-credential
    allowedRoutes:
      namespaces:
        from: All

Use kubectl to connect to the ACK cluster based on the information in the kubeconfig file, and then run the following command to deploy the gateway:
```
kubectl apply -f gateway-https.yaml
```

Create an HTTPRoute.

Create an httpbin-https.yaml file that contains the following content:

Show the httpbin-https.yaml file

apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
  name: httpbin-https
  namespace: default
spec:
  parentRefs:
  - name: gateway-https
    namespace: istio-system
  hostnames: ["*.aliyun.com"]
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /status
    - path:
        type: PathPrefix
        value: /delay
    backendRefs:
    - name: httpbin
      port: 8000

Use kubectl to connect to the ACK cluster based on the information in the kubeconfig file, and then run the following command to deploy the HTTPRoute:
```
kubectl apply -f httpbin-https.yaml
```

Run the following command to access the httpbin application by using the ingress gateway and check whether the HTTPS traffic routing rule takes effect:

curl -k -H Host:a.aliyun.com --resolve a.aliyun.com:443:{IP address of the deployed ingress gateway} https://a.aliyun.com/status/418

Expected output:

    -=[ teapot ]=-

       _...._
     .'  _ _ `.
    | ."` ^ `". _,
    \_;`"---"`|//
      |       ;/
      \_     _/
        `"""`

The output indicates that the HTTPS traffic routing rule takes effect.