Prepare to setup the Gateway API for Cloud Service Mesh

This page describes how to install the required custom resource definitions for the gateway into your cluster.

Limitations

  • Having a mix of gateway config-api and istio config-api clusters in the same fleet is not supported.
  • Multi-cluster service discovery and load balancing is not supported for gateway config-api clusters.
  • If a cluster is onboarded using the existing --management automatic flag then the cluster starts using the istio configuration API and cannot change to gateway API.
  • Only FQDNs are supported. Short names are not supported.

Prerequisites

As a starting point, this guide assumes that you have already created a Google Cloud project and installed kubectl.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Google Cloud project.

  4. Enable the Kubernetes Engine, GKE Hub, and Cloud Service Mesh APIs.

    Enable the APIs

  5. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  6. Make sure that billing is enabled for your Google Cloud project.

  7. Enable the Kubernetes Engine, GKE Hub, and Cloud Service Mesh APIs.

    Enable the APIs

Create and register a GKE cluster

gcloud

Create a GKE cluster:

gcloud container clusters create CLUSTER_NAME \
--location=LOCATION \
--enable-ip-alias \
--scopes=https://www.googleapis.com/auth/cloud-platform \
--release-channel=regular \
--project=PROJECT_ID \
--gateway-api=standard \
--workload-pool=PROJECT_ID.svc.id.goog \
--workload-metadata=GKE_METADATA

where:

  • CLUSTER_NAME is the name of your cluster
  • LOCATION is the location of your cluster
  • PROJECT_ID is the project ID of your cluster

Console

  1. Go to the Google Kubernetes Engine page in the Google Cloud console.

    Go to Google Kubernetes Engine

  2. Click Create.

  3. In the Standard section, click Configure.

  4. In the Cluster basics section, complete the following:

    1. Enter the Name for your cluster.
    2. For the Location type, select a Compute Engine region for your cluster.
  5. In the navigation pane, click default-pool under Node Pools section, and select Security.

  6. In the Access scopes list, select Set access for each API, and set Cloud Platform as Enabled.

  7. In the navigation pane, click Networking under Cluster section.

  8. In the Cluster Networking list, select Enable Gateway API.

  9. In the navigation pane, click Security under Cluster section.

  10. In the Security list, select Enable Workload Identity.

  11. Click Create.

After the cluster is created,

  1. Register your cluster to a fleet:

    gcloud container fleet memberships register CLUSTER_NAME \
    --gke-cluster LOCATION/CLUSTER_NAME \
    --project=PROJECT_ID
    
  2. Verify that the cluster is registered to the fleet:

    gcloud container fleet memberships list --project=PROJECT_ID
    

    The output is similar to:

    NAME            EXTERNAL_ID                             LOCATION
    my-cluster      91980bb9-593c-4b36-9170-96445c9edd39    us-west1
    

Set up permissions

Note that the following commands grant permission to all authenticated users, but you can use Workload Identity Federation for GKE to grant permission to only select accounts.

  1. Grant the trafficdirector.client role:

    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member "group:PROJECT_ID.svc.id.goog:/allAuthenticatedUsers/" \
        --role "roles/trafficdirector.client"
    
  2. Grant the container.developer role:

    gcloud projects add-iam-policy-binding PROJECT_ID \
    --member "serviceAccount:service-PROJECT_NUMBER@container-engine-robot.iam.gserviceaccount.com" \
    --role "roles/container.developer"
    

    where PROJECT_NUMBER is your project number.

  3. Grant the compute.networkAdmin role:

    gcloud projects add-iam-policy-binding PROJECT_ID \
    --member "serviceAccount:service-PROJECT_NUMBER@container-engine-robot.iam.gserviceaccount.com" \
    --role "roles/compute.networkAdmin"
    

    where PROJECT_NUMBER is your project number.

Enable Cloud Service Mesh

  1. Enable the mesh feature:

    gcloud container fleet mesh enable --project PROJECT_ID
    
  2. Update the mesh to use the Gateway API:

    gcloud alpha container fleet mesh update \
    --config-api gateway \
    --memberships CLUSTER_NAME \
    --project PROJECT_ID
    
  3. Verify the update by describing the status of Cloud Service Mesh resource:

    gcloud alpha container fleet mesh describe
    

Set your fleet new memberships to use the Gateway API by default (optional)

Alternatively, you can create fleet-level default settings for new GKE clusters registered to the fleet during cluster creation to be automatically configured with Gateway API.

  1. Create a YAML file specifying using Gateway API:

    echo "configapi: gateway" > mesh.yaml
    
  2. Update your mesh:

    gcloud alpha container fleet mesh update --project FLEET_PROJECT_ID \
        --fleet-default-member-config mesh.yaml
    
  3. Create a cluster and register them to your fleet in one step to use the default configuration:

    gcloud container clusters create CLUSTER_NAME \
        --project PROJECT_ID \
        --fleet-project FLEET_PROJECT_ID \
        --location=LOCATION \
    
  4. Enable Workload Identity Federation for GKE and run the GKE Metadata Server on your node.

Install custom resource definitions

Generate a kubeconfig entry for your cluster:

gcloud container clusters get-credentials CLUSTER_NAME --location LOCATION --project PROJECT_ID

where:

  • CLUSTER_NAME is the name of your cluster
  • LOCATION is the location of your cluster
  • PROJECT_ID is the project ID of your cluster

Install the GRPCRoute custom resource definition (CRD):

curl https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.1.0/config/crd/standard/gateway.networking.k8s.io_grpcroutes.yaml \
| kubectl apply -f -

The output is similar to:

customresourcedefinition.apiextensions.k8s.io/grpcroutes.gateway.networking.k8s.io created

What's next