Chapter 3. Directing outbound traffic through a gateway
Using Istio APIs, you can configure gateway proxies that were installed using gateway injection to direct traffic that is bound for an external service.
3.1. About directing egress traffic through a gateway Copy linkLink copied to clipboard!
You can configure a gateway installed using gateway injection as an exit point for the traffic leaving a service mesh. In this configuration, the gateway acts as a forward proxy for requests sent to the services that are external to the mesh.
Configuring a gateway for egress traffic can help fulfill security requirements. For example, an egress gateway can be used in environments where traffic restrictions require that all traffic exiting a mesh flows through a dedicated set of nodes. Similarly, a gateway can be used when network policies prevent application nodes from directly accessing external services. In such scenarios, gateway proxies are deployed on dedicated egress nodes capable of accessing external services. These nodes can then be subjected to strict network policy enforcement or additional monitoring to enhance security.
To configure a gateway installed using gateway injection to direct the egress traffic, use a combination of the Istio ServiceEntry
, Gateway
, VirtualService
, and DestinationRule
resources. Use the ServiceEntry
resource to define the properties of an external service. The external service is added to the Istio service registry for the mesh. This enables you to apply Istio features, such as monitoring and routing rules, to the traffic exiting the mesh that is destined for an external service. Use the Gateway
, VirtualService
, and DestinationRule
resources to set up rules that route traffic from the mesh to the external service using the gateway proxy.
3.2. Directing egress traffic through a gateway using Istio APIs Copy linkLink copied to clipboard!
Use Istio APIs to direct outbound HTTP traffic through a gateway that was installed using gateway injection.
Prerequisites
- You have installed a gateway using gateway injection.
Procedure
Create a namespace called
curl
by running the following command:oc create namespace curl
$ oc create namespace curl
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Depending on the update strategy you are using, enable sidecar injection in the namespace by running the appropriate commands:
If you are using the
InPlace
update strategy, run the following command:oc label namespace curl istio-injection=enabled
$ oc label namespace curl istio-injection=enabled
Copy to Clipboard Copied! Toggle word wrap Toggle overflow If you are using the
RevisionBased
update strategy, run the following commands:Display the revision name by running the following command:
oc get istiorevisions.sailoperator.io
$ oc get istiorevisions.sailoperator.io
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Example output
NAME TYPE READY STATUS IN USE VERSION AGE default Local True Healthy True v1.24.3 3m33s
NAME TYPE READY STATUS IN USE VERSION AGE default Local True Healthy True v1.24.3 3m33s
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Label the namespace with the revision name to enable sidecar injection by running the following command:
oc label namespace curl istio.io/rev=default
$ oc label namespace curl istio.io/rev=default
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Deploy a
curl
application by running the following command:oc apply -n curl -f https://raw.githubusercontent.com/openshift-service-mesh/istio/refs/heads/master/samples/curl/curl.yaml
$ oc apply -n curl -f https://raw.githubusercontent.com/openshift-service-mesh/istio/refs/heads/master/samples/curl/curl.yaml
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Export a
CURL_POD
environment variable that has been initialized with the name of the curl pod:export CURL_POD=$(oc get pod -n curl -l app=curl -o jsonpath='{.items[0].metadata.name}')
$ export CURL_POD=$(oc get pod -n curl -l app=curl -o jsonpath='{.items[0].metadata.name}')
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Create a YAML file named
http-se.yaml
that directs traffic from the mesh to an external service. The following example defines aServiceEntry
for a URL.Example configuration
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Apply the YAML file by running the following command:
oc apply -f http-se.yaml
$ oc apply -f http-se.yaml
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Ensure the
ServiceEntry
configuration was applied correctly. Send an HTTP request to the host that you specified in the previous step by running the following command:oc exec "$CURL_POD" -n curl -c curl -- curl -sSL -o /dev/null -D - http://docs.redhat.com
$ oc exec "$CURL_POD" -n curl -c curl -- curl -sSL -o /dev/null -D - http://docs.redhat.com
Copy to Clipboard Copied! Toggle word wrap Toggle overflow This command should return HTTP status codes, such as
301
(redirect) or200
(success), indicating that the connection works.Create a YAML file named
http-gtw.yaml
that creates an egressGateway
and routes traffic from the mesh to the host specified for the external service.Example configuration
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Apply the YAML file by running the following command:
oc apply -f http-gtw.yaml
$ oc apply -f http-gtw.yaml
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Create a YAML file named
http-vs.yaml
that sets up aVirtualService
to manage the flow of traffic from the application sidecars through the egress gateway to the external host.Example configuration
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Apply the YAML file by running the following command:
oc apply -f http-vs.yaml
$ oc apply -f http-vs.yaml
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Resend the HTTP request to the URL:
oc exec "$CURL_POD" -n curl -c curl -- curl -sSL -o /dev/null -D - http://docs.redhat.com
$ oc exec "$CURL_POD" -n curl -c curl -- curl -sSL -o /dev/null -D - http://docs.redhat.com
Copy to Clipboard Copied! Toggle word wrap Toggle overflow The terminal should display information similar to the following output:
Example output
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Ensure that the request was routed through the gateway by running the following command:
oc logs deployment/<gateway_name> -n <gateway_namespace> | tail -1
$ oc logs deployment/<gateway_name> -n <gateway_namespace> | tail -1
Copy to Clipboard Copied! Toggle word wrap Toggle overflow NoteAccess logging must be enabled for this verification step to work. You can enable access logging to the standard output by setting the
spec.values.meshConfig.accessLogFile
field to/dev/stdout
in the Istio resource.The terminal should display information similar to the following output:
Example output
[2024-11-07T14:35:52.428Z] "GET / HTTP/2" 301 - via_upstream - "-" 0 0 24 24 "10.128.2.30" "curl/8.11.0" "79551af2-341b-456d-b414-9220b487a03b" "docs.redhat.com" "23.55.176.201:80" outbound|80||docs.redhat.com 10.128.2.29:49766 10.128.2.29:80 10.128.2.30:38296 -
[2024-11-07T14:35:52.428Z] "GET / HTTP/2" 301 - via_upstream - "-" 0 0 24 24 "10.128.2.30" "curl/8.11.0" "79551af2-341b-456d-b414-9220b487a03b" "docs.redhat.com" "23.55.176.201:80" outbound|80||docs.redhat.com 10.128.2.29:49766 10.128.2.29:80 10.128.2.30:38296 -
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
3.3. Directing egress traffic through a gateway by using the Kubernetes Gateway API Copy linkLink copied to clipboard!
Use the Kubernetes Gateway API to direct outbound HTTP traffic through an egress gateway.
Prerequisites
- You installed an Istio control plane.
-
You configured the
Istio
andIstioCNI
resources.
Procedure
Optional: Enable the {k8} Gateway API custom resource definitions (CRDs).
NoteAs of Kubernetes 1.28 and OpenShift Container Platform 4.18 or earlier version of Red Hat OpenShift Service Mesh, the Kubernetes Gateway API CRDs are not available by default and you must enabled the CRDs before you can use them. OpenShift Container Platform 4.19 and later versions enable the CRDs by default.
Create a YAML file named
gateway-cr.yaml
that enables the Kubernetes Gateway API CRDs.Example Kubernetes Gateway Custom Resource (CR) file
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Apply the YAML file by running the following command:
oc apply -f gateway-cr.yaml
$ oc apply -f gateway-cr.yaml
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Create a namespace called
egress-gateway
by running the following command:oc create namespace egress-gateway
$ oc create namespace egress-gateway
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Apply the
istio-injection
label to the namespace by running the following command:oc label namespace egress-gateway istio-injection=enabled
$ oc label namespace egress-gateway istio-injection=enabled
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Create a YAML file named
egress-gateway-cr.yaml
that defines the egress gateway.Example egress gateway CR file
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Apply the YAML file by running the following command:
oc apply -f egress-gateway-cr.yaml
$ oc apply -f egress-gateway-cr.yaml
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
Verify the status of the gateway configuration by running the following command:
oc describe gateway -n egress-gateway
$ oc describe gateway -n egress-gateway
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Desired output is indicated by
Programmed
showing in theStatus
column.Create a
curl
pod in theegress-gateway
namespace by running the following command:oc run test-pod --image=curlimages/curl:latest -n egress-gateway --rm -it --restart=Never -- sh
$ oc run test-pod --image=curlimages/curl:latest -n egress-gateway --rm -it --restart=Never -- sh
Copy to Clipboard Copied! Toggle word wrap Toggle overflow By using the
curl
client, verify that you can accesshttpbin.org
through the egress gateway by entering following command:curl -v http://httpbin.org/get
$ curl -v http://httpbin.org/get
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Desired output shows a response from
httpbin.org
that indicates egress traffic routes through the configured gateway.