How to use an Istio Ingress along with the default Ingress on a single entry point

Nico Meisenzahl
May 26 · 3 min read

When you are new to Istio you might like to start small by only moving some of your applications into the service mesh in the first stage. You will find helpful information on how to do so in the Istio documentation. In this post, I would like to focus on how to expose applications inside as well as outside the service mesh using a single entry point (e.g. load balancer, proxy).

Istio comes with its own Ingress Controller which is fully integrated into the service mesh. This Ingress Controller will be used to expose an application which is part of the service mesh. Besides this, you might still run some workload on the same Kubernetes Cluster which is not yet part of the service mesh. Those applications will be exposed using your default Ingress Controller (e.g. ingress-nginx).

As a result, you will have two different entry points. One managed by the Istio Ingress Controller, the other managed by your default Ingress Controller. In a multi-node Kubernetes environment, you might like to deploy a clustered load balancer in front to serve all your applications from a single entry point.

In the following example, I’m using HAProxy as a load balancer and configured ACLs to redirect the traffic based on the requested hostname. HAProxy then routes the request either to the Istio Ingress Controller or to the default controller.

First of all, we need a frontend configuration for all HTTP traffic. The frontend is configured to use “mode http”. This allows us to pick the http header of the request and define the used backend based on it. In this example, all request for my-istio-app.domain.example will be served by the istioingress80 backend configuration. Everything else by ingress80.

We also need a configuration for the HTTPS connections. This frontend configuration is slightly different. It’s configured to use “mode tcp” which allows us to use SNI (Server Name Indication) to query the requested hostname. We can’t access the host header in this case because it is encrypted.

The backend configuration is pretty default. You only need to define the corresponding Ingress entry points.

01001101

Stories related to DevOps topics by Nico Meisenzahl. 01001101? First char of my surname.

Nico Meisenzahl

Written by

Senior Consultant @panagenda, @soccnx & @DockerRosenheim team member. Blogger, speaker & IBM Champion. Loves DevOps, K8s. His desk is a ping pong table.

01001101

01001101

Stories related to DevOps topics by Nico Meisenzahl. 01001101? First char of my surname.