AKS icon indicating copy to clipboard operation
AKS copied to clipboard
verified publisher icon Azure

[Feature] enable istio gateway with exsiting azure public ip

Open npcxiao opened this issue 2 years ago • 13 comments

Is your feature request related to a problem? Please describe.

the command: az aks mesh enable-ingress-gateway that does not support to enable istio gateway with an exsiting public ip.

npcxiao avatar Jul 01 '23 15:07 npcxiao

This is required for migrating from Istio OSS (already installed) to Istio Addon in our Production clusters, where we don't want to lose the ingress IP, which is whitelisted in upstream system.

SatyKrish avatar Jul 05 '23 00:07 SatyKrish

Action required from @Azure/aks-pm

microsoft-github-policy-service[bot] avatar Feb 08 '24 09:02 microsoft-github-policy-service[bot]

Issue needing attention of @Azure/aks-leads

microsoft-github-policy-service[bot] avatar Feb 23 '24 09:02 microsoft-github-policy-service[bot]

Issue needing attention of @Azure/aks-leads

microsoft-github-policy-service[bot] avatar Mar 09 '24 14:03 microsoft-github-policy-service[bot]

Issue needing attention of @Azure/aks-leads

microsoft-github-policy-service[bot] avatar Mar 24 '24 18:03 microsoft-github-policy-service[bot]

Issue needing attention of @Azure/aks-leads

microsoft-github-policy-service[bot] avatar Apr 09 '24 04:04 microsoft-github-policy-service[bot]

Issue needing attention of @Azure/aks-leads

microsoft-github-policy-service[bot] avatar Apr 24 '24 13:04 microsoft-github-policy-service[bot]

@npcxiao @SatyKrish we are currently looking into this

nshankar13 avatar May 02 '24 23:05 nshankar13

@nshankar13 Is this still being looked into?

deuxailes avatar May 29 '24 20:05 deuxailes

@deuxailes we are working towards supporting Gateway API in the coming months and we are leaning towards keeping that as the UX for configuring the IP address (via the Gateway resource). There are currently some implementation details and edge cases that we still need to work out.

nshankar13 avatar May 29 '24 22:05 nshankar13

We are looking for the same for internal IP being static. We currently use OSM/Istio with static IP with DNS/wildcard hostname. Is it possible to assign an IP for internal gateway?

vijaymck avatar Jun 27 '24 11:06 vijaymck

@vijaymck our plan is to support ingress related customization (IP address, port, name, namespace, etc) through the Gateway API when we offer support for that. Timelines are still TBD but we are currently working on implementation and design. As of now we do not plan on supporting this for the add-on Istio ingress gateway.

nshankar13 avatar Jun 27 '24 14:06 nshankar13

@vijaymck @SatyKrish @deuxailes @npcxiao we have decided to allow customizing the following annotations to the Istio ingress K8s service. This change has now been globally rolled out:

  • service.beta.kubernetes.io/azure-load-balancer-internal-subnet: to bind an internal ingress gateway to a specific subnet.
  • service.beta.kubernetes.io/azure-shared-securityrule: for exposing the ingress gateway through an augmented security rule.
  • service.beta.kubernetes.io/azure-allowed-service-tags: for specifying which service tags the ingress gateway can receive requests from.
  • service.beta.kubernetes.io/azure-load-balancer-ipv4: for configuring a static IPv4 address.
  • service.beta.kubernetes.io/azure-load-balancer-resource-group: for specifying the resource group of a public IP in a different resource group from the cluster.
  • service.beta.kubernetes.io/azure-pip-name: for specifying the name of a public IP address.

nshankar13 avatar Sep 23 '24 12:09 nshankar13

Thank you for the update @nshankar13, will try it out.

vijaymck avatar Sep 27 '24 15:09 vijaymck

Please reopen if you find any issues.

miguelmq avatar Oct 03 '24 17:10 miguelmq