This page shows how to enable ingress for an GKE on-prem cluster.
SSH into your admin workstation
SSH into your admin workstation:
ssh -i ~/.ssh/vsphere_workstation ubuntu@[IP_ADDRESS]
where [IP_ADDRESS] is the IP address of your admin workstation.
Do all of the remaining steps in this topic on your admin workstation.
Enabling ingress
After your user cluster is running, you must enable ingress by creating an Istio Gateway object. This Istio Gateway object is required for network ingress traffic, and is not intended to be used or supported for any other use cases such as authorization policies. The first part of the Gateway manifest is always this:
apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: istio-autogenerated-k8s-ingress namespace: gke-system spec: selector: istio: ingress-gke-system
You can add additional fields to your Gateway to specify which traffic is allowed to enter your cluster. For more information on using Gateways to manage incoming requests, see Traffic Management.
The following Gateway manifest says that clients can send requests on port 80 using the HTTP/2 protocol and any hostname:
apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: istio-autogenerated-k8s-ingress namespace: gke-system spec: selector: istio: ingress-gke-system servers: - port: number: 80 protocol: HTTP2 name: http hosts: - "*"
If you want your ingress service to accept HTTPS requests, then you must provide one or more certificates that your ingress service can present to clients.
To provide a certificate:
- Create a Kubernetes Secret that holds your certificate and key.
- Create a Gateway object, or modify an existing Gateway object, that refers
to your Secret. The name of the Gateway object must be
istio-autogenerated-k8s-ingress
.
For example, suppose you have already created a certificate file,
ingress-wildcard.crt
, and a key file ingress-wildcard.key
.
Create a Secret named ingressgateway-wildcard-certs
:
kubectl create secret tls \ --namespace gke-system \ ingressgateway-wildcard-certs \ --cert ./ingress-wildcard.crt \ --key ./ingress-wildcard.key
The following Gateway manifest refers to your Secret. Clients can call on port 443 using the HTTPS protocol and any hostname that matches *.example.com. Note that the hostname in the certificate must match the hostname in the manifest, *.example.com in this example:
apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: istio-autogenerated-k8s-ingress namespace: gke-system spec: selector: istio: ingress-gke-system servers: - port: number: 80 protocol: HTTP2 name: http hosts: - "*" - hosts: - "*.example.com" port: name: https-demo-wildcard number: 443 protocol: HTTPS tls: mode: SIMPLE credentialName: ingressgateway-wildcard-certs
You can create multiple TLS certs for different hosts by modifying your Gateway manifest.
Save your manifest to a file named my-gateway.yaml
, and create the Gateway:
kubectl apply -f my-gateway.yaml