samirparhi.com

Accessing Workloads behind a ingress-gateway always has been a industry standard practice in Kubernetes setup. It facilitate single entry point for all your services deployed in a production grade Kubernetes. This setup also allows you to leverage the service-mesh functionality of implementing policies and have a better authz and authn to the deployed services. Meshery is no different, you can configure it to be accessed through ingress gateway. Let’s see how can we configure it.

Prerequisite :

Kubernetes is up and running.
Ingress controller is installed and Ingress-gateway is provisioned (we will be taking istio into account in this example and it is installed in istio-system Namespace)
Meshery is installed in your Kubernetes cluster (Preferably in meshery namespace)

See in Action:

Step 1 : Prerequisite check

Lets see if everything mentioned in prerequisite is fulfilled


$ kubectl get svc -n istio-system                                                           
NAME                   TYPE           CLUSTER-IP   EXTERNAL-IP   PORT(S)                                      AGE
istio-ingressgateway   LoadBalancer   10.3.9.186   20.204.19.97    15021:30305/TCP,80:32107/TCP,443:32436/TCP   37d
We have ingress gateway provisioned.
$ kubectl get po -n meshery                                                                 
NAME                                    READY   STATUS           RESTARTS      AGE
meshery-5cc4489f77-7sbc5                1/1     Running             0          33d
meshery-operator-5db8b6c874-5cdvg       1/1     Running             0          33d
meshery-meshsync-8lb8b6y784-6ghnk       1/1     Running             0          33d
meshery-istio-6c56dd44fb-gk6xx          1/1     Running             0          33d
$ kubectl get svc -n meshery                                                                
NAME                   TYPE           CLUSTER-IP   EXTERNAL-IP    PORT(S)          AGE
meshery                LoadBalancer   10.3.9.178   10.5.3.188   9081:31037/TCP   33d

Now we see that Meshery’s core components meshery, meshery-operator, meshery-meshsync, meshery-istio (meshery adapter specific to your servicemesh), and meshery LoadBalance service (meshery) are up. The istio ingress gateway istio-ingressgateway is also up.

Note :

you can observe that the CLUSTER-IP & EXTERNAL-IP of the Meshery LoadBalancer are private IP (10.5.3.188, 10.3.9.178) that means you can not connect it from the browser or outside of the kubernetes cluster.
in the other hand if you observe we have got an public ip for the istio-ingressgateway (20.204.19.97) which can be accessed from outside of the cluster.
Only way to access the Meshery is through our ingress gateway (which is part of ingress controller Istio in this case)

Step 2: Let’s create a istio-Gateway for this meshery, which will facilitate meshey to recive the request from outside of cluster to Meshery.

Tip: What is istio-Gateway? Gateway describes a load balancer operating at the edge of the mesh receiving incoming or outgoing HTTP/TCP connections. The specification describes a set of ports that should be exposed, the type of protocol to use, SNI configuration for the load balancer, etc. More information : Istio / Gateway.

create a file meshery-istio-gw.yaml and copy paste the below content to the file.


apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: meshery-gateway
  namespace: meshery
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"

Now let’s apply this manifest in meshery Namespace.


$ kubectl apply -f meshery-istio-gw.yaml

Tip: Istio gateway is namespace scoped. The gateway listener for meshery listens on port 80.

Step 3: Lets create a virtualService for Istio gateway to reach Meshery Loadbalancer in the kubernetes cluster

🚩 Tip: A VirtualService defines a set of traffic routing rules to apply when a host is addressed. Each routing rule defines matching criteria for traffic of a specific protocol. If the traffic is matched, then it is sent to a named destination service (or subset/version of it) defined in the registry. More info: Istio / Virtual Service.

create a file meshery-istio-vs.yaml and copy paste the below content to the file.


apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: meshery
  namespace: meshery
spec:
  hosts:
  - "*"
  gateways:
  - meshery-gateway
  http:
  - match:
    - uri:
        prefix: /
    route:
    - destination:
        host: meshery
        port:
          number: 9081

Now let’s apply this manifest in meshery Namespace.


$ kubectl apply -f meshery-istio-vs.yaml

Tip: istio virtualService is namespace scoped.

Understanding `meshery-istio-vs.yaml`

When the request hits the istio ingress gateway (the gateway listener for meshery listens on port 80) with prefix “/” (root) it will forward it to the kubernetes service meshery which exists in meshery Namespace and listing on 9081 (The default port of Meshery)

Step 4: Accessing Meshery:

Now you can access meshhery UI with http:/// in this context http://20.204.19.97/ Tip: when you hit http://20.204.19.97/ it will automatically redirect you to http://20.204.19.97/provider and you will she the meshery UI as below:

Extras :

You can use fqdn (let’s say meshery.example.com) for accessing meshery. In that case you have to replace * field under hosts: section in meshery-istio-vs.yaml and meshery-istio-gw.yaml to meshery.example.com .

Find it on :

Layer5 discuss forum

Credits:

Layer5 , Istio , Meshery