How to use an Istio Ingress along with the default Ingress on a single entry point

Nico Meisenzahl
May 26, 2019 · 3 min read

When you are new to Istio you might like to start small by only moving some of your applications into the service mesh in the first stage. You will find helpful information on how to do so in the Istio documentation. In this post, I would like to focus on how to expose applications inside as well as outside the service mesh using a single entry point (e.g. load balancer, proxy).

Istio comes with its own Ingress Controller which is fully integrated into the service mesh. This Ingress Controller will be used to expose an application which is part of the service mesh. Besides this, you might still run some workload on the same Kubernetes Cluster which is not yet part of the service mesh. Those applications will be exposed using your default Ingress Controller (e.g. ingress-nginx).

As a result, you will have two different entry points. One managed by the Istio Ingress Controller, the other managed by your default Ingress Controller. In a multi-node Kubernetes environment, you might like to deploy a clustered load balancer in front to serve all your applications from a single entry point.

In the following example, I’m using HAProxy as a load balancer and configured ACLs to redirect the traffic based on the requested hostname. HAProxy then routes the request either to the Istio Ingress Controller or to the default controller.

First of all, we need a frontend configuration for all HTTP traffic. The frontend is configured to use “mode http”. This allows us to pick the http header of the request and define the used backend based on it. In this example, all request for my-istio-app.domain.example will be served by the istioingress80 backend configuration. Everything else by ingress80.

frontend frontend80
bind *:80
mode http
timeout client 1m
default_backend ingress80
acl ingress_app hdr_sub(host) -i my-istio-app.domain.example
use_backend istioingress80 if ingress_app

We also need a configuration for the HTTPS connections. This frontend configuration is slightly different. It’s configured to use “mode tcp” which allows us to use SNI (Server Name Indication) to query the requested hostname. We can’t access the host header in this case because it is encrypted.

frontend frontend443
bind *:443
mode tcp
option tcplog
timeout client 1m
default_backend ingress443
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
acl ingress_app req_ssl_sni -i my-istio-app.domain.example
use_backend istioingress443 if ingress_app

The backend configuration is pretty default. You only need to define the corresponding Ingress entry points.

backend ingress80
mode http
option log-health-checks
log global
balance roundrobin
timeout connect 10s
timeout server 1m
server worker-0 <ip>:80 check
server worker-1 <ip>:80 check
server worker-2 <ip>:80 check
backend istioingress80
mode http
option log-health-checks
log global
balance roundrobin
timeout connect 10s
timeout server 1m
server worker-0 <ip>:31380 check
server worker-1 <ip>:31380 check
server worker-2 <ip>:31380 check
backend ingress443
mode tcp
option log-health-checks
log global
balance roundrobin
timeout connect 10s
timeout server 1m
server worker-0 <ip>:443 check
server worker-1 <ip>:443 check
server worker-2 <ip>:443 check
backend istioingress443
mode tcp
option log-health-checks
log global
balance roundrobin
timeout connect 10s
timeout server 1m
server worker-0 <ip>:31390 check
server worker-1 <ip>:31390 check
server worker-2 <ip>:31390 check

01001101

Stories related to DevOps topics by Nico Meisenzahl. 01001101? First char of my surname.

Nico Meisenzahl

Written by

Senior Cloud & DevOps Consultant at white duck. Docker Community Leader, GitLab Hero, blogger & speaker. 👨‍💻🙋‍♂️ Loves Kubernetes, DevOps & Cloud.

01001101

01001101

Stories related to DevOps topics by Nico Meisenzahl. 01001101? First char of my surname.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade