Enabling Ingress with Cloud Service Mesh

This topic shows you how to install Cloud Service Mesh, which comes preinstalled with an Ingress Gateway. With Cloud Service Mesh, you can configure a Kubernetes Ingress resource for your Deployments if you need an Ingress controller. This topic provides an example that shows you how to configure a sample Deployment and Ingress resource.

The installation of Cloud Service Mesh consists of two main parts:

1. Installing a specific version of the Cloud Service Mesh customer-managed control plane and Ingress Gateway.
2. Labeling your namespaces with a revision label and redeploying your workloads to inject a sidecar proxy.

If you only need to use an Ingress object using an Ingress controller, you don't have to inject a sidecar proxy into your workload Pods. But if you want the security benefits that Cloud Service Mesh provides, and if you want to make use of the traffic routing capabilities, you need to inject the sidecar proxies.

Before you begin

Before you start using GKE on AWS, make sure you have performed the following tasks:

• Complete the Prerequisites.

• Install a management service.
• Create a user cluster.
• Register your cluster with Connect by following the steps in Connecting to your cluster with Cloud console.
• Configure your cluster to Use workload identity with Google Cloud.

• If your user clusters have restricted outbound access to the internet, allow access to the following container repository domains:

  • docker.io
  • quay.io

• From your anthos-aws directory, use anthos-gke to switch context to your user cluster.

  cd anthos-aws
  env HTTPS_PROXY=http://localhost:8118 \
    anthos-gke aws clusters get-credentials CLUSTER_NAME

  Replace CLUSTER_NAME with your user cluster name.

Installing Anthos Service Mesh

Follow the steps in Install Cloud Service Mesh.

Creating an example Deployment

In this section, you install a sample application and create an Ingress endpoint for it.

1. Create a Deployment of hello-app and a ClusterIP for the deployment. Copy the following YAML into a file named hello-app.yaml.

   apiVersion: apps/v1
   kind: Deployment
   metadata:
     labels:
       app: hello-app
     name: hello-app
   spec:
     selector:
       matchLabels:
         app: hello-app
     replicas: 3
     template:
       metadata:
         labels:
           app: hello-app
       spec:
         containers:
         - name: hello
           image: "gcr.io/google-samples/hello-app:2.0"
   ---
   apiVersion: v1
   kind: Service
   metadata:
     labels:
       app: hello-app
     name: hello-app
   spec:
     type: ClusterIP
     selector:
       app: hello-app
     ports:
     - protocol: TCP
       port: 8080
       targetPort: 8080
   

2. Apply the YAML to your cluster with kubectl apply.

   env HTTPS_PROXY=http://localhost:8118 \
     kubectl apply -f hello-app.yaml
   

3. Create a Kubernetes Ingress for the sample application. Copy the following YAML into a file named hello-app-ingress.yaml

   apiVersion: networking.k8s.io/v1beta1
   kind: Ingress
   metadata:
     annotations:
       kubernetes.io/ingress.class: istio
     labels:
       app: hello-app
     name: hello-app
   spec:
     rules:
     - host:
       http:
         paths:
         - backend:
             serviceName: hello-app
             servicePort: 8080
   

4. Create the Ingress by applying the configuration with kubectl apply.

   env HTTPS_PROXY=http://localhost:8118 \
     kubectl apply -f hello-app-ingress.yaml
   

5. Check the status of your gateway with kubectl get svc.

   env HTTPS_PROXY=http://localhost:8118 \
     kubectl get ingress hello-app
   

   The ADDRESS field should have an ELB domain name. If the ADDRESS remains pending, confirm your VPC and Subnet labeling.

6. You can check the Ingress gateway URL by composing the host and port. To get your gateway URL, perform the following commands:

   export INGRESS_URL=$(env HTTPS_PROXY=http://localhost:8118 \
   kubectl get ingress hello-app -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
   echo "Your hello-app Ingress URL is: http://"$INGRESS_URL
   

   The last command prints the endpoint of your Ingress.

7. If you created a public Ingress, you can view the hello-app default web page in curl by visiting http://$INGRESS_URL/.

   curl $INGRESS_URL/
   

Cleaning up

You remove the hello-app components with kubectl delete.

env HTTPS_PROXY=http://localhost:8118 \
  kubectl delete -f hello-app.yaml &&\
  kubectl delete -f hello-app-ingress.yaml

If you would like to remove Cloud Service Mesh, see Uninstalling Cloud Service Mesh.

What's next

Learn more about:

• Injecting sidecar proxies

• Naming service ports

• Enabling Cloud Service Mesh optional features

• Integrating with third-party add-ons

• Configuring the Ingress Gateway

• Routing traffic