Skip to main content

Ingress vs Gateway API

We recommend using the Kubernetes Gateway API for ingress management. The Gateway API is the official successor to Ingress resources and is actively developed by the Kubernetes community. One of the key benefits is that it has a better separation of concerns: a clean split between infrastructure configuration (Gateway) and application routing (HTTPRoute)

We use Istio Gateway's implementation of Kubernetes Gateway API (not to be confused with Istio's implementation of Ingress )

Having mentioned the Gateway, it's worth noting that you can only specify one host or wildcard domain per Gateway listener. This a bit of a paradigm shift if you rely heavily on per ingress certificate management using the HTTP01 Challenge Provider. In our examples we suggest using wildcard domains in the Gateway listeners which requires the DNS01 Challenge Provider. For this to work, you will need to make use of cert-manager webhook plugins. An example of such a plugin is the Designate plugin (used for Openstack DNS), which we ship as well.

While the Ingress API is technically still usable, this API has been frozen. The Kubernetes project recommends using Gateway API instead. We follow this recommendation and do not support Ingress resources anymore in this reference implementation.

However, it is still possible to let Istio listen for Ingress-resources. If this is a requirement for you, you can always implement this in your own environment. Do note that Istio Ingress requires TLS secrets to be stored in the Istio gateway namespace rather than alongside the Ingress resource, which would necessitate additional automation (e.g. with Kyverno) to copy TLS secrets to the Istio gateway namespace.

For completeness, these are the most important resources needed to run Istio Gateway:

---
kind: HelmRepository
metadata:
  name: istio
  namespace: set-in-overlay
spec:
  interval: 24h
  url: https://istio-release.storage.googleapis.com/charts
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: istiod
spec:
  interval: 30m
  chart:
    spec:
      chart: istiod
      version: 1.26.3
      sourceRef:
        kind: HelmRepository
        name: istio
      interval: 12h
  values:
    meshConfig:
      ingressSelector: gateway # see https://github.com/istio/istio/blob/master/manifests/charts/gateway/templates/_helpers.tpl#L20
      ingressService: istio-gateway
    pilot:
      env:
        K8S_INGRESS_NS: istio-gateway
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: istio-gateway
spec:
  chart:
    spec:
      chart: gateway
      version: 1.26.3
      sourceRef:
        kind: HelmRepository
        name: istio
      interval: 12h
  values:
    service:
      type: LoadBalancer
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  name: istio
spec:
  controller: istio.io/ingress-controller