Configuring an injected gateway for ingress traffic
When a gateway is installed via gateway injection, you can configure it to handle ingress traffic by using the Istio Gateway and VirtualService resources together. The Istio Gateway resource defines a load balancer that operates at the mesh's edge, handling incoming or outgoing HTTP/TCP connections. The Gateway specification outlines a set of ports to be exposed, the protocol to use, and the Server Name Indication (SNI) settings for the load balancer. VirtualServices are used to define routing rules for an Istio Gateway, much like how they define routing rules for traffic within the mesh.
In the example that follows, an Istio Gateway resource configures a gateway proxy to serve as an entry point for external traffic. This setup exposes port 443 (HTTPS) for the bookinfo.com host. The configuration is applicable to pods labeled with istio: ingressgateway. The tls mode is set to SIMPLE, which means the incoming HTTPS traffic is terminated using the provided TLS Secret.
Sample configuration
The VirtualService below is linked to the Istio Gateway resource from the previous configuration example. Its specification creates rules to direct traffic with the /reviews/ path prefix to the reviews service within the bookinfo namespace. The VirtualService makes an explicit reference to the previously shown Gateway resource, ensuring that these routing rules apply only to traffic coming through that specific gateway.
Sample configuration