Skip to content

Instantly share code, notes, and snippets.

@jeesmon

jeesmon/openshift-sm-additional-ingress-gateway.md

Last active September 11, 2021 13:20
Show Gist options
  • Save jeesmon/5f7a196c23d7237d2966bf5dffe0a068 to your computer and use it in GitHub Desktop.
Save jeesmon/5f7a196c23d7237d2966bf5dffe0a068 to your computer and use it in GitHub Desktop.
Download ZIP
OpenShift ServiceMesh Additional Ingress Gateway
Raw
openshift-sm-additional-ingress-gateway.md

Steps

  • Edit ServiceMesh Controlplane (SMCP) default
spec:
....
  gateways:
    additionalIngress:
      istio-internal-ingressgateway:
        enabled: true
        service:
          metadata:
            labels:
              app: istio-internal-ingressgateway
              istio: internal-ingressgateway
          type: ClusterIP

This will add a new Ingress Gateway istio-internal-ingressgateway in istio-system namespace. Labels (app and istio) are used as pod selector for the Service.

oc -n istio-system get svc -l app=istio-internal-ingressgateway,istio=internal-ingressgateway
NAME                            TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                              AGE
istio-internal-ingressgateway   ClusterIP   172.21.176.240   <none>        15021/TCP,80/TCP,443/TCP,15443/TCP   15h

oc -n istio-system get po -l app=istio-internal-ingressgateway,istio=internal-ingressgateway
NAME                                            READY   STATUS    RESTARTS   AGE
istio-internal-ingressgateway-c849c648d-2wz5h   1/1     Running   0          15h

oc -n istio-system get route -l istio-internal-ingressgateway,istio=internal-ingressgateway
NAME                            HOST/PORT                                                                       PATH   SERVICES                        PORT   TERMINATION   WILDCARD
istio-internal-ingressgateway   istio-internal-ingressgateway-istio-system.xxx.upi.containers.appdomain.cloud          istio-internal-ingressgateway   8080                 None
  • Create NetworkPolicy to allow ingress traffic to new gateway pod (NOTE: You no longer need to create this NetworkPolicy for ServiceMesh v2.0.7+. MAISTRA-24110 is fixed)

istio-internal-ingressgateway-network-policy.yaml:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: istio-internal-ingressgateway
  namespace: istio-system
spec:
  ingress:
  - {}
  podSelector:
    matchLabels:
      istio: internal-ingressgateway
  policyTypes:
  - Ingress

oc -n istio-system apply -f istio-internal-ingressgateway-network-policy.yaml
  • Create Gateway resource with selector for new Ingress Gateway
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: my-gateway
  namespace: istio-system
spec:
  selector:
    istio: internal-ingressgateway
...

Links

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment