use Ambassador api gateway as Istio ingress?

Question

every one i have been searching the internet whole day but can't find a complete and decent example of how to use ambassador api gateway as istio ingress. The default documentation at ambassador site regarding istio isn't clear enough. So can someone please provide a complete and detailed example of how to use ambassador Api gateway along with istio service mesh?

My platform specs are
OS: Windows10
Container-Platform: Docker-desktop
Kubernetes-version: 1.10.11

Answer 1

After many hours I succeded integrating Ambassador 1.8 with Istio 1.7.3. The mTLS integration was really tricky.

First I upgraded Kubernetes to the latest one (1.19.2) with the following extraArgs:

          extraArgs:
            service-account-issuer: kubernetes.default.svc
            service-account-signing-key-file: /etc/kubernetes/pki/sa.key

Then installed Istio with the default profile.

Then I went on with the documentation Piotr mentioned, but the Ambassador pod did not want to start. So I compared the side car in the docs line-by-line with a side car generated automatically by Istio in another pod. Finally I got to the following working deployment yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: ambassador
  namespace: rocket
spec:
  replicas: 1
  selector:
    matchLabels:
      service: ambassador
  template:
    metadata:
      annotations:
        consul.hashicorp.com/connect-inject: 'false'
        sidecar.istio.io/inject: 'false'
      labels:
        service: ambassador
        app.kubernetes.io/managed-by: getambassador.io
    spec:
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - podAffinityTerm:
              labelSelector:
                matchLabels:
                  service: ambassador
              topologyKey: kubernetes.io/hostname
            weight: 100
      containers:
      - name: ambassador
        image: docker.io/datawire/ambassador:1.8.0
        env:
        - name: AMBASSADOR_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: HOST_IP
          valueFrom:
            fieldRef:
              fieldPath: status.hostIP 
        - name: REDIS_URL
          value: ambassador-redis:6379
        - name: AMBASSADOR_URL
          value: https://ambassador.rocket.svc.cluster.local
        - name: POLL_EVERY_SECS
          value: '60'
        - name: AMBASSADOR_INTERNAL_URL
          value: https://127.0.0.1:8443
        - name: AMBASSADOR_SINGLE_NAMESPACE
          value: "YES" 
        - name: AMBASSADOR_ID
          value: "ambassador-rocket"
        # Necessary to run the istio-proxy sidecar
        - name: AMBASSADOR_ENVOY_BASE_ID
          value: "1"
        ports:
        - containerPort: 8080
          name: http
        - containerPort: 8443
          name: https
        - containerPort: 8877
          name: http-admin
        livenessProbe:
          httpGet:
            path: /ambassador/v0/check_alive
            port: http-admin
          periodSeconds: 3
        readinessProbe:
          httpGet:
            path: /ambassador/v0/check_ready
            port: http-admin
          periodSeconds: 3
        resources:
          limits:
            cpu: 1000m
            memory: 600Mi
          requests:
            cpu: 200m
            memory: 300Mi
        securityContext:
          allowPrivilegeEscalation: false 
        volumeMounts:
        - mountPath: /tmp/ambassador-pod-info
          name: ambassador-pod-info
        - mountPath: /etc/istio-certs/
          name: istio-certs
      - name: istio-proxy
         # Use the same version as your Istio installation
        image: docker.io/istio/proxyv2:1.7.3
        args:
        - proxy
        - sidecar
        - --domain
        - $(POD_NAMESPACE).svc.cluster.local
        - --serviceCluster
        - istio-proxy-ambassador.$(POD_NAMESPACE)
        - --discoveryAddress
        - istiod.istio-system.svc:15012
        - --connectTimeout
        - 10s
        - --statusPort
        - "15020"
        - --trust-domain=cluster.local
        - --controlPlaneBootstrap=false
        env:
        - name: OUTPUT_CERTS
          value: "/etc/istio-certs"
        - name: JWT_POLICY
          value: third-party-jwt
        - name: PILOT_CERT_PROVIDER
          value: istiod
        - name: CA_ADDR
          value: istiod.istio-system.svc:15012
        - name: ISTIO_META_MESH_ID
          value: cluster.local
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: INSTANCE_IP
          valueFrom:
            fieldRef:
              fieldPath: status.podIP
        - name: SERVICE_ACCOUNT
          valueFrom:
            fieldRef:
              fieldPath: spec.serviceAccountName
        - name: HOST_IP
          valueFrom:
            fieldRef:
              fieldPath: status.hostIP
        - name: ISTIO_META_POD_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.name
        - name: ISTIO_META_CONFIG_NAMESPACE
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
        - name: ISTIO_META_CLUSTER_ID
          value: Kubernetes
        imagePullPolicy: IfNotPresent
        resources:
          limits:
            cpu: 2000m
            memory: 1024Mi
          requests:
            cpu: 100m
            memory: 128Mi
        readinessProbe:
          failureThreshold: 30
          httpGet:
            path: /healthz/ready
            port: 15020
            scheme: HTTP
          initialDelaySeconds: 1
          periodSeconds: 2
          successThreshold: 1
          timeoutSeconds: 1
        volumeMounts:
        - mountPath: /var/run/secrets/istio
          name: istiod-ca-cert
        - mountPath: /etc/istio/proxy
          name: istio-envoy
        - mountPath: /etc/istio-certs/
          name: istio-certs
        - mountPath: /var/run/secrets/tokens
          name: istio-token
        securityContext:
          runAsUser: 0
      volumes:
      - name: istio-certs
        emptyDir:
          medium: Memory
      - name: istiod-ca-cert
        configMap:
          defaultMode: 420
          name: istio-ca-root-cert
      - name: istio-envoy
        emptyDir:
          medium: Memory
      - name: istio-token
        projected:
          defaultMode: 420
          sources:
          - serviceAccountToken:
              audience: istio-ca
              expirationSeconds: 43200
              path: istio-token
      - downwardAPI:
          items:
          - fieldRef:
              fieldPath: metadata.labels
            path: labels
        name: ambassador-pod-info
      restartPolicy: Always
      securityContext:
        runAsUser: 8888
      serviceAccountName: ambassador
      terminationGracePeriodSeconds: 0 

Note: I prefer running one Istio per cluster and one Ambassador per namespace, so I put the Ambassador pod and my other pods into the "rocket" namespace.

Answer 2

This topic is explained in detail in Ambassador documentation:

Ambassador is a Kubernetes-native API gateway for microservices. Ambassador is deployed at the edge of your network, and routes incoming traffic to your internal services (aka "north-south" traffic). Istio is a service mesh for microservices, and is designed to add application-level Layer (L7) observability, routing, and resilience to service-to-service traffic (aka "east-west" traffic). Both Istio and Ambassador are built using Envoy.

Follow this link for step-by-step guide how to get Ambassador working with Istio.

---

Additionally You will need to update Your Kubernetes version as Istio requirements are:

• Istio 1.4 and 1.3 has been tested with Kubernetes: 1.13, 1.14, 1.15.

• Istio 1.2 has been tested with Kubernetes: 1.12, 1.13, 1.14.

I suggest avoiding older versions.