Setting up a Kubernetes API Gateway1 with Istio2, Gloo3, and Cert-Manager4 involves several critical steps aimed at ensuring secure, efficient traffic management. First, the Gateway API CRDs are installed to enable routing control, followed by deploying Istio for service traffic management. Gloo is installed as the API gateway to handle external traffic, while Cert-Manager automates SSL/TLS certificates for enhanced security. Finally, an IP is assigned to the gateway service, ensuring consistent and reliable external access.

Step-by-step guide

Install API Gateway CRD

This installs the Custom Resource Definitions for the Gateway API, which enables the management of network traffic.

kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yaml

Install Istio-base and Istiod

Installs Istio's control plane and essential components for traffic routing.

helm repo add istio https://istio-release.storage.googleapis.com/charts
helm repo update
helm install istio-base istio/base -n istio-system --set defaultRevision=default --create-namespace
helm install istiod istio/istiod -n istio-system --wait

Install Gloo Gateway

This command deploys the Gloo API Gateway to manage and route API traffic within Kubernetes.

helm repo add gloo https://storage.googleapis.com/solo-public-helm
helm repo update
helm upgrade --install gloo-gateway gloo/gloo \
--namespace gloo-system \
--create-namespace \
--version 1.17.8 \
-f -<<EOF
gatewayProxies:
  gatewayProxy:
    disabled: true
global:
  istioIntegration:
    enableAutoMtls: true
    enabled: true
  istioSDS:
    enabled: true
kubeGateway:
  enabled: true
  gatewayParameters:
    glooGateway:
      istio:
        istioProxyContainer:
          istioDiscoveryAddress: istiod.istio-system.svc:15012
          istioMetaClusterId: Kubernetes
          istioMetaMeshId: cluster.local
EOF

Install Cert-Manager

Cert-Manager is deployed to handle the automatic provisioning and renewal of TLS certificates.

helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
-f -<<EOF
config:
  apiVersion: controller.config.cert-manager.io/v1alpha1
  enableGatewayAPI: true
  kind: ControllerConfiguration
crds:
  enabled: true
global:
  leaderElection:
    namespace: cert-manager
EOF

Apply Cluster Issuer

A ClusterIssuer is created to define how Cert-Manager will issue certificates cluster-wide.

kubectl apply -f -<<EOF
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
  namespace: cert-manager
spec:
  acme:
    email: jakub@slys.dev
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-prod-secret
    solvers:
      - http01:
          gatewayHTTPRoute:
            parentRefs:
            - group: gateway.networking.k8s.io
              kind: Gateway
              name: http
              namespace: gloo-system
EOF

Create Gateway resource

Defines a Gateway resource to control how traffic enters the cluster through the Gloo Gateway.

kubectl apply -f -<<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
  name: http
  namespace: gloo-system
spec:
  gatewayClassName: gloo-gateway
  listeners:
  - allowedRoutes:
      namespaces:
        from: All
    name: http
    port: 80
    protocol: HTTP
  - allowedRoutes:
      namespaces:
        from: All
    hostname: slys.dev
    name: https
    port: 443
    protocol: HTTPS
    tls:
      certificateRefs:
      - group: ""
        kind: Secret
        name: slys-dev-cert
      mode: Terminate
EOF

Create HTTPRoute resource

This creates a route that defines how HTTP traffic should be handled by the gateway.

kubectl apply -f -<<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: iam-slys-dev-http-redirect
  namespace: slys
spec:
  hostnames:
  - slys.dev
  parentRefs:
  - group: gateway.networking.k8s.io
    kind: Gateway
    name: http
    namespace: gloo-system
  rules:
  - filters:
    - requestRedirect:
        hostname: iam.slys.dev
        statusCode: 302
      type: RequestRedirect
    matches:
    - path:
        type: PathPrefix
        value: /
EOF

Request an IP for the Gateway service

Patches the Gloo Gateway service to request an IP (192.168.111.11) from Kube-VIP LoadBalancer.

kubectl patch svc gloo-proxy-http -n gloo-system -p '{"metadata": {"annotations": {"kube-vip.io/loadbalancerIPs": "192.168.111.11"}}}'

These steps ensure a fully functional API Gateway with Istio, Gloo, and Cert-Manager, ready for handling secure traffic in a Kubernetes environment.

Summary

In conclusion, the setup of an API Gateway with Istio, Gloo, and Cert-Manager provides a solid foundation for managing secure and scalable traffic in Kubernetes environments. By combining Istio’s traffic control, Gloo’s API routing, and Cert-Manager’s automated TLS certificate management, you ensure reliable service communication and security. This setup offers a streamlined approach to handling microservice traffic while addressing security and reliability concerns, essential for modern cloud-native applications. See demo here5.