Does Istio on AWS requires AWS ALB? - kubernetes

I will install Istio as a service mesh on AWS EKS. I know that Istio provides its own Ingress Gateway. What I am confused about is: Do we still need to use AWS ALB or ELB in front of Istio Ingress Gateway?

Given that Istio will create a Service for its Ingress Deployment of type LoadBalancer, Kubernetes will take care of provisioning the ELB for you. No need to create it yourself although you could also configure the Service to point to an existing ELB.
The linked Service is outdated and for ease of reference only. The latest Istio chart is actually here. You should be able to download it and confirm the Service configuration.

Related

My Kubernetes service is running on HTTPS, I wanted to expose it over Istio ingress gateway

I deployed NIFI using cetic helm charts in GKE, its service is working on HTTPS.
now I don't want to make it as a load balancer, I'm using Istio ingress gateway for to expose it on my DNS name.
I used Istio for http service, but not I'm confused about the HTTPS.
Please help me on this

How to configure Ingress Controller on Kubernetes Cluster installed with kubeadm

I installed a Kubernetes cluster with "kubeadm" on Hetzner Cloud.
After successful installation, I installed the Ingress Controller with Helm.
The EXTERNAL-IP of the ingress controller service is in the pending state.
The default type is LoadBalancer and as I know this type is only supported by cloud providers like AWS, Google...
So I changed the service type to NodePort.
How should I configure the external DNS to my services?
I don't want to append the 3.... ports but let the Ingress controller manage that for me.
Setting up ExternalDNS for Services on Hetzner DNS article provides efficient and work method to manage external DNS.
Main steps
1. Creating a Hetzner DNS zone
2. Creating Hetzner Credentials
3. Deploy ExternalDNS
4. Deploying an Nginx Service
5. Verifying Hetzner DNS records

Ingress resource deployment

What is the best approach to create the ingress resource that interact with ELB into target deployment environment that runs on Kubernetes?
As we all know there are different cloud provider and many types of settings that are related to the deployment of your ingress resource which depends on your target environments: AWS, OpenShift, plain vanilla K8S, google cloud, Azure.
On cloud deployments like Amazon, Google, etc., ingresses need also special annotations, most of which are common to all micro services in need of an ingress.
If we deploy also a mesh like Istio on top of k8s then we need to use an Istio gateway with ingress. if we use OCP then it has special kind called “routes”.
I'm looking for the best solution that targets to use more standard options, decreasing the differences between platforms to deploy ingress resource.
So maybe the best approach is to create an operator to deploy the Ingress resource because of the many different setups here?
Is it important to create some generic component to deploy the Ingress while keeping cloud agnostic?
How do other companies deploy their ingress resources to the k8s cluster?
What is the best approach to create the ingress resource that interact with ELB into target deployment environment that runs on Kubernetes?
On AWS the common approach is to use ALB, and the AWS ALB Ingress Controller, but it has its own drawbacks in that it create one ALB per Ingress resource.
Is we deploy also a mesh like Istio then we need to use Istio gateway with ingress.
Yes, then the situation is different, since you will use VirtualService from Istio or use AWS App Mesh - that approach looks better, and you will not have an Ingress resource for your apps.
I'm looking for the best solution that targets to use more standard options, decreasing the differences between platforms to deploy ingress resource.
Yes, this is in the intersection between the cloud provider infrastructure and your cluster, so there are unfortunately many different setups here. It also depends on if your ingress gateway is within the cluster or outside of the cluster.
In addition, the Ingress resource, just become GA (stable) in the most recent Kubernetes, 1.19.

Accessing services without pod (without istio envoy) from outside cluster through istio ingress rules in K8s

Steps:
1. I have created 2 namespaces (ns1 and ns2).
2. in ns1, i have deployed service where envoy proxy is enabled (istioctl kube-inject service.yaml)
2. in ns1, i have created istio ingress rules pointing to the service and i am able access it from outside the cluster.
3. in ns2, i havnt deploy any service because it is my shared namespace hence i have created headless service (External Name) which is pointing to the service deployed in ns1 namespace.
The problem is; i am not able to access service which is deployed in ns2 from outside the cluster. it is throwing 404 service not found.
did i miss anything here... do we have any other solution to address this?
Thanks,
Nikhil

Access non Istio resource

My current version of istio is 0.2.12.
I have a deployment that is deployed with istio kube-inject and tries to connect to a service/deployment inside of the kubernetes cluster that not uses Istio, how is it possible to allow access from the istio using deployment to the not istio using deployment.
In this case is the istio baked deployment a Spring boot application and the other is an ephemeral MySQL server.
Any ideas?
You should be able to access all the kubernetes services (Istio-injected and the regular Kubernetes ones) from Istio-injected pods.
This now possible, please see the
"Can I enable Istio Auth with some services while disable others in the same cluster?"
question in the security section of the faq: https://istio.io/help/faq.html