Gateways
A gateway is a proxy at the edge of an ambient mesh. A Gateway can be used to allow traffic to ingress or egress.
Creating an ingress gateway
Like waypoints, gateways are deployed using the Kubernetes Gateway API. A simple deployment looks like this:
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: httpbin-gateway
spec:
gatewayClassName: istio
listeners:
- name: http
port: 80
protocol: HTTP
allowedRoutes:
namespaces:
from: All
The gatewayClassName
must be set to istio
for the Istio control plane to create and manage the gateway. The default is to create a LoadBalancer
service, which on most cloud providers will cause a load balancer to be provisioned.
Annotations and labels on the Gateway will be copied to the Service and Deployment that are created. This allows configuring things such as internal load balancers that read from these fields.
Attaching a route to a gateway
Route objects are attached to either gateways or waypoints based on their parentRefs
value. See the request routing guide for the differences.
Gateways and waypoints
Both gateways and waypoints can be used to route traffic, or perform authentication.
The default behavior of Istio is to send traffic that transits a gateway to the destination directly, even if that destination is enrolled in a waypoint. This is to avoid cases of double handling, for example, where rules for traffic splitting of fault injection could be applied twice.
However, that means you have to add certain policies on both the gateway and the waypoint.
You can enable ingress waypoint routing on a service, such that traffic will be sent from the gateway to the configured waypoint, not to the destination service. To do this, set the label istio.io/ingress-use-waypoint=true
on a service.
If you enable this feature, we recommend the following setup:
- Gateway: apply minimal routing logic; strictly enough to pick a backend. Apply policies that only apply at the edge (for example, rate limiting or user authentication)
- Waypoints: apply all other logic.
Adding TLS certificates to a gateway
Refer to the Gateway API documentation for how to configure a Gateway with TLS certificates.
Using gateways for egress
Check the egress gateway guide to learn how to configure an egress gateway.