East-west gateway without external IP

[fizos]

I am using Istio 1.17.3 and I want to deploy a multicluster mesh where each cluster is in a different network. I am following the Install Multi-Primary on different networks 29 guide and my environment doesn’t support external load balancers. So when I install an east-west gateway it doesn’t get an external IP and I cannot get any cross-cluster traffic.

Is there any workaround for this (e.g. accessing the gateway using a nodePort)?

[stevenctl]

Yes, we do support NodePort for multi-network.

The docs have you use the gen-eastwest-gateway.sh. After generating the YAML using that command, you'd need to edit one section

  values:
    gateways:
      istio-ingressgateway:
        injectionTemplate: gateway
        type: NodePort # add this

The multi-cluster service discovery machinery is setup to handle node port.

[fizos]

very appreciate for you help 😄

I currently need to form a large service mesh cluster using a multi-primary, multi-network mode with three clusters. Is it necessary for each cluster to configure the access credentials of the other two clusters' API-Server? Does Istio support this configuration ? Do East-West gateways also need to be configured for mutual communication between each pair? Is there a best practice in the community for three clusters with multi-primary and multi-network?

[stevenctl]

Istio's multi-cluster design currently requires API server access to be shared with each primary cluster.

Primary-Remote would only require supplying the remote clusters' credentials to each primary (you could have 1 primary, 2 remote).

Another option would be more manual: creating WorkloadEntry resources and Gateway resources by hand that represent resources that exist in other clusters. An example can be found in this integration test. A Gateway represents a remote eastwest gateway, we say the address 1.2.3.4:15443 can be used to reach any endpoint on network-foo. Then we create a WorkloadEntry on network-foo with no address. A service selecting that WorkloadEntry would go through the gateway.

The caveats being:

1. You don't get automated updates if you have no workloads behind that "virtual" workloadentry.
2. You don't get automated updates for the Gateway resource
3. The WorkloadEntry may not have the correct weight for the # of workloads in the remote network.

TL;DR we have APIs that can be used to configure some cross-network traffic without sharing API server credentials, but you lose most of the automation that Istio provides.

[fizos]

Yes, we do support NodePort for multi-network.

The docs have you use the gen-eastwest-gateway.sh. After generating the YAML using that command, you'd need to edit one section

  values:
    gateways:
      istio-ingressgateway:
        injectionTemplate: gateway
        type: NodePort # add this

The multi-cluster service discovery machinery is setup to handle node port.

I have added the type NodePort in eastwestgateway istiooperator，and exposed the gateway with Gateway CRD. But it seems that the traffic from the west cluster did not find the eastwestgateway in east cluster by nodeport

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  name: eastwest
spec:
  revision: ""
  profile: empty
  tag: 1.17.3
  components:
    ingressGateways:
    - name: istio-eastwestgateway
      label:
        istio: eastwestgateway
        app: istio-eastwestgateway
        topology.istio.io/network: east-network
      enabled: true
      k8s:
        env:
        # traffic through this gateway should be routed inside the network
        - name: ISTIO_META_REQUESTED_NETWORK_VIEW
          value: east-network
        service:
          ports:
          - name: status-port
            port: 15021
            targetPort: 15021
          - name: tls
            port: 15443
            targetPort: 15443
          - name: tls-istiod
            port: 15012
            targetPort: 15012
          - name: tls-webhook
            port: 15017
            targetPort: 15017
  values:
    gateways:
      istio-ingressgateway:
        injectionTemplate: gateway
        type: NodePort
    global:
      network: east-network

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: cross-network-gateway
  namespace: istio-system
spec:
  selector:
    istio: eastwestgateway
  servers:
  - port:
      number: 15443
      name: tls
      protocol: TLS
    tls:
      mode: AUTO_PASSTHROUGH
    hosts:
    - "*.local"

Besides the eastwestgateway generated by gen-eastwest-gateway.sh did not contain mesh-id info, Is this right?

[istio-policy-bot]

🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2024-01-30. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions.

Created by the issue and PR lifecycle manager.

[lgy1027]

Have you solved the problem? I don’t have an external IP either.

[fizos]

Yes , I have solved this problem, you can install a loadbalancer like nginx outside the cluster and forward the 15443 port

[lgy1027]

Yes , I have solved this problem, you can install a loadbalancer like nginx outside the cluster and forward the 15443 port

I am deploying an istio cluster using a non-flat multi-master solution. If nideport is used to expose the east-west gateway, does this address need to be set to istio of the opposite cluster? Otherwise, the applications deployed by istio cannot communicate with each other.

[fizos]

No，with the remote-cluster-secret， the istio can discover the service in the opposite cluster. What you have to do is to deploy the secets in the opposite cluster.