All Products
Search
Document Center

Alibaba Cloud Service Mesh:Use Gateway API to define a routing rule

Last Updated:Nov 17, 2023

Gateway API is an open source project managed by the SIG-NETWORK community. The project aims to evolve service networking by providing expressive, extensible, and role-oriented interfaces. You can use Gateway API to define routing rules for accessing applications in a cluster. This topic describes how to use Gateway API to define a routing rule for accessing an application in a cluster.

Prerequisites

Usage notes

  • ASM supports Gateway API 0.6.0.

  • In multi-cluster mode, if gateway resources with the same names are configured in the same namespace in two clusters on the data plane, the resources that are applied later overwrite the resources that are previously created.

Step 1: Confirm that CRDs of the Gateway API component are created in the ACK cluster

By default, CustomResourceDefinitions (CRDs) of the Gateway API component are automatically created in ACK clusters whose versions are 1.24 and later. You can perform the following operations to confirm that the CRDs are created in the ACK cluster and the versions of the CRDs are 0.6.0.

Run the following command to check whether the CRDs are created in the ACK cluster:

kubectl get crds | grep gateway.networking.k8s.io
  • If the expected output is shown as in the following code block, it indicates that the CRDs are created.

    gatewayclasses.gateway.networking.k8s.io                         2023-05-10T02:51:33Z
    gateways.gateway.networking.k8s.io                               2023-05-10T02:51:33Z
    httproutes.gateway.networking.k8s.io                             2023-05-10T02:51:33Z
    referencegrants.gateway.networking.k8s.io                        2023-05-10T02:51:33Z

    Run the following command to check whether the versions of the CRDs are 0.6.0:

    kubectl get crds -o yaml | grep 'gateway.networking.k8s.io/bundle-version: v0.6.0'

    Expected output:

    gateway.networking.k8s.io/bundle-version: v0.6.0
    gateway.networking.k8s.io/bundle-version: v0.6.0
    gateway.networking.k8s.io/bundle-version: v0.6.0
    gateway.networking.k8s.io/bundle-version: v0.6.0
  • If the output does not contain CRDs of the Gateway API component, log on to the ACK console and install the Gateway API component on the Add-ons page. For more information, see Manage components.

Step 2: Enable Gateway API for the ASM instance

Use kubectl to connect to the ASM instance based on the information in the kubeconfig file, and then add the enableGatewayAPI: true field to ASMMeshConfig named default.

apiVersion: istio.alibabacloud.com/v1beta1
kind: ASMMeshConfig
metadata:
  name: default
spec:
  enableGatewayAPI: true

After you specify enableGatewayAPI as true, the control plane generates CRDs of the Gateway API component. Both the Gateway API component and Istio contain gateway resources. Therefore, conflicts may occur when you use kubectl to run the same command to query the gateway resources of the two. To query the gateway resource of the Gateway API component, run the kubectl get gtw command. To query the gateway resource of Istio, run the kubectl get gw command.

Step 3: Configure an HTTP traffic routing rule

The following section describes how to use Gateway API to configure an HTTP traffic routing rule. The routing rule is used to expose the httpbin application on the ingress gateway. You must create a gateway and an HTTPRoute in the ACK cluster.

  1. Create a gateway.

    1. Create a gateway.yaml file that contains the following content.

      The configurations in the file indicate that the gateway is applied on the specified ingress gateway and a listener whose host is *.aliyun.com is created. Routing rules of all namespaces are allowed to use the listener. The listener uses port 80 (HTTP). Replace ${Name of the ingress gateway} in the YAML file with the name of the deployed ingress gateway.

      Show the gateway.yaml file

      apiVersion: gateway.networking.k8s.io/v1beta1
      kind: Gateway
      metadata:
        name: gateway
        namespace: istio-system
      spec:
        addresses:  # Specifies the ingress gateways on which the gateway is applied.  
        - type: Hostname
          value: istio-${Name of the ingress gateway}.istio-system.svc.cluster.local
        gatewayClassName: istio
        listeners:
        - allowedRoutes:
            namespaces:
              from: All
          hostname: '*.aliyun.com'  # You cannot specify this parameter as an asterisk (*) to match all hosts. If you want to match all hosts, leave this field empty. 
          name: default
          port: 80
          protocol: HTTP
    2. Use kubectl to connect to the ACK cluster based on the information in the kubeconfig file, and then run the following command to deploy the gateway:

      kubectl apply -f gateway.yaml
  2. Create an HTTPRoute.

    1. Create an http-route.yaml file that contains the following content.

      The configurations in the file indicate that the routing rule uses the gateway named gateway in the istio-system namespace. All listeners of the gateway are used here because you do not specify the name of the listener that you want to use. Requests whose paths are prefixed with /get are routed to port 8000 of the httpbin application in the same namespace.

      Show the http-route.yaml file

      apiVersion: gateway.networking.k8s.io/v1beta1
      kind: HTTPRoute
      metadata:
        name: http
        namespace: default
      spec:
        parentRefs:  # The route can be attached to different gateways. 
        - name: gateway
          namespace: istio-system
        hostnames: ["*.aliyun.com"]
        rules:
        - matches:
          - path:
              type: PathPrefix
              value: /get
          backendRefs:  # By default, only services in the same namespace can be referenced. If you want to use services in different namespaces, configure ReferenceGrant. https://gateway-api.sigs.k8s.io/api-types/referencegrant/
          - name: httpbin 
            port: 8000
    2. Use kubectl to connect to the ACK cluster based on the information in the kubeconfig file, and then run the following command to deploy the HTTPRoute:

      kubectl apply -f http-route.yaml
  3. Run the following command to access the httpbin application by using the ingress gateway and check whether the HTTP traffic routing rule takes effect:

    curl -I -HHost:httpbin.aliyun.com "http://${IP address of the ingress gateway}:80/get"

    Expected output:

    HTTP/1.1 200 OK
    server: istio-envoy
    date: Fri, 12 May 2023 08:16:30 GMT
    content-type: application/json
    content-length: 516
    access-control-allow-origin: *
    access-control-allow-credentials: true
    x-envoy-upstream-service-time: 4

    In the preceding output, you can find that 200 OK is returned. This indicates that the HTTP traffic routing rule takes effect.

Step 4: Configure an HTTPS traffic routing rule

The following section describes how to use Gateway API to configure an HTTPS traffic routing rule, expose the httpbin application on the ingress gateway by using the rule, and perform Transport Level Security (TLS) termination on the ingress gateway. You must create a gateway and an HTTPRoute in the ACK cluster.

  1. Use the certificate management feature of ASM to create a certificate for the a.aliyun.com host to use HTTPS. Set the certificate name to myexample-credential. For more information, see Step 1: Prepare server certificates and private keys for multiple servers.

  2. Create a gateway.

    1. Create a gateway-https.yaml file that contains the following content.

      Replace ${Name of the ingress gateway} in the YAML file with the name of the deployed ingress gateway.

      Show the gateway-https.yaml file

      apiVersion: gateway.networking.k8s.io/v1beta1
      kind: Gateway
      metadata:
        name: gateway-https
        namespace: istio-system
      spec:
        addresses:  # Specifies the ingress gateways on which the gateway is applied. 
        - type: Hostname
          value: istio-${Name of the ingress gateway}.istio-system.svc.cluster.local
        gatewayClassName: istio
        listeners:
        - name: https
          hostname: "*.aliyun.com"
          port: 443
          protocol: HTTPS
          tls:
            mode: Terminate
            certificateRefs:
            - name: myexample-credential
          allowedRoutes:
            namespaces:
              from: All
    2. Use kubectl to connect to the ACK cluster based on the information in the kubeconfig file, and then run the following command to deploy the gateway:

      kubectl apply -f gateway-https.yaml
  3. Create an HTTPRoute.

    1. Create an httpbin-https.yaml file that contains the following content:

      Show the httpbin-https.yaml file

      apiVersion: gateway.networking.k8s.io/v1beta1
      kind: HTTPRoute
      metadata:
        name: httpbin-https
        namespace: default
      spec:
        parentRefs:
        - name: gateway-https
          namespace: istio-system
        hostnames: ["*.aliyun.com"]
        rules:
        - matches:
          - path:
              type: PathPrefix
              value: /status
          - path:
              type: PathPrefix
              value: /delay
          backendRefs:
          - name: httpbin
            port: 8000
    2. Use kubectl to connect to the ACK cluster based on the information in the kubeconfig file, and then run the following command to deploy the HTTPRoute:

      kubectl apply -f httpbin-https.yaml
  4. Run the following command to access the httpbin application by using the ingress gateway and check whether the HTTPS traffic routing rule takes effect:

    curl -k -H Host:a.aliyun.com --resolve a.aliyun.com:443:{IP address of the deployed ingress gateway} https://a.aliyun.com/status/418

    Expected output:

        -=[ teapot ]=-
    
           _...._
         .'  _ _ `.
        | ."` ^ `". _,
        \_;`"---"`|//
          |       ;/
          \_     _/
            `"""`

    The output indicates that the HTTPS traffic routing rule takes effect.