Gateway
- Gateway
- Port
- Server
- Server.TLSOptions
- Server.TLSOptions.TLSProtocol
- Server.TLSOptions.TLSmode

Gateway

Gateway describes a load balancer operating at the edge of the meshreceiving incoming or outgoing HTTP/TCP connections. The specificationdescribes a set of ports that should be exposed, the type of protocol touse, SNI configuration for the load balancer, etc.

For example, the following Gateway configuration sets up a proxy to actas a load balancer exposing port 80 and 9080 (http), 443 (https),9443(https) and port 2379 (TCP) for ingress. The gateway will beapplied to the proxy running on a pod with labels app:my-gateway-controller. While Istio will configure the proxy to listenon these ports, it is the responsibility of the user to ensure thatexternal traffic to these ports are allowed into the mesh.

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: my-gateway
  namespace: some-config-namespace
spec:
  selector:
    app: my-gateway-controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - uk.bookinfo.com
    - eu.bookinfo.com
    tls:
      httpsRedirect: true # sends 301 redirect for http requests
  - port:
      number: 443
      name: https-443
      protocol: HTTPS
    hosts:
    - uk.bookinfo.com
    - eu.bookinfo.com
    tls:
      mode: SIMPLE # enables HTTPS on this port
      serverCertificate: /etc/certs/servercert.pem
      privateKey: /etc/certs/privatekey.pem
  - port:
      number: 9443
      name: https-9443
      protocol: HTTPS
    hosts:
    - "bookinfo-namespace/*.bookinfo.com"
    tls:
      mode: SIMPLE # enables HTTPS on this port
      credentialName: bookinfo-secret # fetches certs from Kubernetes secret
  - port:
      number: 9080
      name: http-wildcard
      protocol: HTTP
    hosts:
    - "*"
  - port:
      number: 2379 # to expose internal service via external port 2379
      name: mongo
      protocol: MONGO
    hosts:
    - "*"

The Gateway specification above describes the L4-L6 properties of a loadbalancer. A VirtualService can then be bound to a gateway to controlthe forwarding of traffic arriving at a particular host or gateway port.

For example, the following VirtualService splits traffic forhttps://uk.bookinfo.com/reviews, https://eu.bookinfo.com/reviews,http://uk.bookinfo.com:9080/reviews,http://eu.bookinfo.com:9080/reviews into two versions (prod and qa) ofan internal reviews service on port 9080. In addition, requestscontaining the cookie “user: dev-123” will be sent to special port 7777in the qa version. The same rule is also applicable inside the mesh forrequests to the “reviews.prod.svc.cluster.local” service. This rule isapplicable across ports 443, 9080. Note that http://uk.bookinfo.comgets redirected to https://uk.bookinfo.com (i.e. 80 redirects to 443).

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: bookinfo-rule
  namespace: bookinfo-namespace
spec:
  hosts:
  - reviews.prod.svc.cluster.local
  - uk.bookinfo.com
  - eu.bookinfo.com
  gateways:
  - some-config-namespace/my-gateway
  - mesh # applies to all the sidecars in the mesh
  http:
  - match:
    - headers:
        cookie:
          exact: "user=dev-123"
    route:
    - destination:
        port:
          number: 7777
        host: reviews.qa.svc.cluster.local
  - match:
    - uri:
        prefix: /reviews/
    route:
    - destination:
        port:
          number: 9080 # can be omitted if it's the only port for reviews
        host: reviews.prod.svc.cluster.local
      weight: 80
    - destination:
        host: reviews.qa.svc.cluster.local
      weight: 20

The following VirtualService forwards traffic arriving at (external)port 27017 to internal Mongo server on port 5555. This rule is notapplicable internally in the mesh as the gateway list omits thereserved name mesh.

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: bookinfo-Mongo
  namespace: bookinfo-namespace
spec:
  hosts:
  - mongosvr.prod.svc.cluster.local # name of internal Mongo service
  gateways:
  - some-config-namespace/my-gateway # can omit the namespace if gateway is in same
                                       namespace as virtual service.
  tcp:
  - match:
    - port: 27017
    route:
    - destination:
        host: mongo.prod.svc.cluster.local
        port:
          number: 5555

It is possible to restrict the set of virtual services that can bind toa gateway server using the namespace/hostname syntax in the hosts field.For example, the following Gateway allows any virtual service in the ns1namespace to bind to it, while restricting only the virtual service withfoo.bar.com host in the ns2 namespace to bind to it.

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: my-gateway
  namespace: some-config-namespace
spec:
  selector:
    app: my-gateway-controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "ns1/*"
    - "ns2/foo.bar.com"

Gateway

Gateway describes a load balancer operating at the edge of the meshreceiving incoming or outgoing HTTP/TCP connections.

Field	Type	Description	Required
`servers`	`Server[]`	A list of server specifications.	Yes
`selector`	`map<string, string>`	One or more labels that indicate a specific set of pods/VMson which this gateway configuration should be applied. The scope oflabel search is restricted to the configuration namespace in which thethe resource is present. In other words, the Gateway resource mustreside in the same namespace as the gateway workload instance.	Yes

Port

Port describes the properties of a specific port of a service.

Field	Type	Description	Required
`number`	`uint32`	A valid non-negative integer port number.	Yes
`protocol`	`string`	The protocol exposed on the port.MUST BE one of HTTP\|HTTPS\|GRPC\|HTTP2\|MONGO\|TCP\|TLS.TLS implies the connection will be routed based on the SNI header tothe destination without terminating the TLS connection.	Yes
`name`	`string`	Label assigned to the port.	No

Server

Server describes the properties of the proxy on a given load balancerport. For example,

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: my-ingress
spec:
  selector:
    app: my-ingress-gateway
  servers:
  - port:
      number: 80
      name: http2
      protocol: HTTP2
    hosts:
    - "*"

Another example

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: my-tcp-ingress
spec:
  selector:
    app: my-tcp-ingress-gateway
  servers:
  - port:
      number: 27018
      name: mongo
      protocol: MONGO
    hosts:
    - "*"

The following is an example of TLS configuration for port 443

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: my-tls-ingress
spec:
  selector:
    app: my-tls-ingress-gateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    hosts:
    - "*"
    tls:
      mode: SIMPLE
      serverCertificate: /etc/certs/server.pem
      privateKey: /etc/certs/privatekey.pem

Field	Type	Description	Required
`port`	`Port`	The Port on which the proxy should listen for incomingconnections.	Yes
`hosts`	`string[]`	One or more hosts exposed by this gateway.While typically applicable toHTTP services, it can also be used for TCP services using TLS with SNI.A host is specified as a `dnsName` with an optional `namespace/` prefix.The `dnsName` should be specified using FQDN format, optionally includinga wildcard character in the left-most component (e.g., `prod/.example.com`).Set the `dnsName` to to select all `VirtualService` hosts from thespecified namespace (e.g.,`prod/`).The `namespace` can be set to or `.`, representing any or the currentnamespace, respectively. For example, `/foo.example.com` selects theservice from any available namespace while `./foo.example.com` only selectsthe service from the namespace of the sidecar. The default, if no `namespace/`is specified, is `/`, that is, select services from any namespace.Any associated `DestinationRule` in the selected namespace will also be used.A `VirtualService` must be bound to the gateway and must have one ormore hosts that match the hosts specified in a server. The matchcould be an exact match or a suffix match with the server’s hosts. Forexample, if the server’s hosts specifies `.example.com`, a`VirtualService` with hosts `dev.example.com` or `prod.example.com` willmatch. However, a `VirtualService` with host `example.com` or`newexample.com` will not match.NOTE: Only virtual services exported to the gateway’s namespace(e.g., `exportTo` value of ) can be referenced.Private configurations (e.g., `exportTo` set to `.`) will not beavailable. Refer to the `exportTo` setting in `VirtualService`,`DestinationRule`, and `ServiceEntry` configurations for details.	Yes
`tls`	`TLSOptions`	Set of TLS related options that govern the server’s behavior. Usethese options to control if all http requests should be redirected tohttps, and the TLS modes to use.	No
`defaultEndpoint`	`string`	The loopback IP endpoint or Unix domain socket to which traffic shouldbe forwarded to by default. Format should be `127.0.0.1:PORT` or`unix:///path/to/socket` or `unix://@foobar` (Linux abstract namespace).	No

Server.TLSOptions

Field	Type	Description	Required
`httpsRedirect`	`bool`	If set to true, the load balancer will send a 301 redirect for allhttp connections, asking the clients to use HTTPS.	No
`mode`	`TLSmode`	Optional: Indicates whether connections to this port should besecured using TLS. The value of this field determines how TLS isenforced.	No
`serverCertificate`	`string`	REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the fileholding the server-side TLS certificate to use.	No
`privateKey`	`string`	REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the fileholding the server’s private key.	No
`caCertificates`	`string`	REQUIRED if mode is `MUTUAL`. The path to a file containingcertificate authority certificates to use in verifying a presentedclient side certificate.	No
`credentialName`	`string`	The credentialName stands for a unique identifier that can be usedto identify the serverCertificate and the privateKey. ThecredentialName appended with suffix “-cacert” is used to identifythe CaCertificates associated with this server. Gateway workloadscapable of fetching credentials from a remote credential store suchas Kubernetes secrets, will be configured to retrieve theserverCertificate and the privateKey using credentialName, insteadof using the file system paths specified above. If using mutual TLS,gateway workload instances will retrieve the CaCertificates usingcredentialName-cacert. The semantics of the name are platformdependent. In Kubernetes, the default Istio supplied credentialserver expects the credentialName to match the name of theKubernetes secret that holds the server certificate, the privatekey, and the CA certificate (if using mutual TLS). Set the`ISTIO_META_USER_SDS` metadata variable in the gateway’s proxy toenable the dynamic credential fetching feature.	No
`subjectAltNames`	`string[]`	A list of alternate names to verify the subject identity in thecertificate presented by the client.	No
`verifyCertificateSpki`	`string[]`	An optional list of base64-encoded SHA-256 hashes of the SKPIs ofauthorized client certificates.Note: When both verify_certificate_hash and verify_certificate_spkiare specified, a hash matching either value will result in thecertificate being accepted.	No
`verifyCertificateHash`	`string[]`	An optional list of hex-encoded SHA-256 hashes of theauthorized client certificates. Both simple and colon separatedformats are acceptable.Note: When both verify_certificate_hash and verify_certificate_spkiare specified, a hash matching either value will result in thecertificate being accepted.	No
`minProtocolVersion`	`TLSProtocol`	Optional: Minimum TLS protocol version.	No
`maxProtocolVersion`	`TLSProtocol`	Optional: Maximum TLS protocol version.	No
`cipherSuites`	`string[]`	Optional: If specified, only support the specified cipher list.Otherwise default to the default cipher list supported by Envoy.	No

Server.TLSOptions.TLSProtocol

TLS protocol versions.

Name	Description
`TLS_AUTO`	Automatically choose the optimal TLS version.
`TLSV1_0`	TLS version 1.0
`TLSV1_1`	TLS version 1.1
`TLSV1_2`	TLS version 1.2
`TLSV1_3`	TLS version 1.3

Server.TLSOptions.TLSmode

TLS modes enforced by the proxy

Name	Description
`PASSTHROUGH`	The SNI string presented by the client will be used as the matchcriterion in a VirtualService TLS route to determine thedestination service from the service registry.
`SIMPLE`	Secure connections with standard TLS semantics.
`MUTUAL`	Secure connections to the downstream using mutual TLS by presentingserver certificates for authentication.
`AUTO_PASSTHROUGH`	Similar to the passthrough mode, except servers with this TLS modedo not require an associated VirtualService to map from the SNIvalue to service in the registry. The destination details such asthe service/subset/port are encoded in the SNI value. The proxywill forward to the upstream (Envoy) cluster (a group ofendpoints) specified by the SNI value. This server is typicallyused to provide connectivity between services in disparate L3networks that otherwise do not have direct connectivity betweentheir respective endpoints. Use of this mode assumes that both thesource and the destination are using Istio mTLS to secure traffic.
`ISTIO_MUTUAL`	Secure connections from the downstream using mutual TLS by presentingserver certificates for authentication.Compared to Mutual mode, this mode uses certificates, representinggateway workload identity, generated automatically by Istio formTLS authentication. When this mode is used, all other fields in`TLSOptions` should be empty.