Azure Kubernetes Cluster with Istio Gateway

Question

I do apologize in advance if this question is too basic but i am lost and cannot figure out the best approach.

I have an Azure kubernetes Cluster running with a simple DotNet application with Cluster IP. This app now is accessible only inside the cluster and this is perfect. I wanted to take one step forward and have the Istio Gateway to route the external traffic to this container over port 443 and enable mTLS.

So i deployed the following resources:

• Gateway

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
 name: api-gateway
spec:
 selector:
   istio: ingressgateway
 servers:

 - port:
     number: 443
     name: https
     protocol: HTTPS
   hosts:
     - "my-hostname"
   tls:
     mode: MUTUAL
     credentialName: my-hostname-secret

Ingress Service:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: istio-gateway-ingress-service
  namespace: default
  annotations:
    kubernetes.io/ingress.className: "nginx"
    cert-manager.io/cluster-issuer: letsencrypt
spec:
  ingressClassName: "nginx"
  rules:
    - host: my-hostname
      http:
        paths:
          - pathType: Prefix
            path: /
            backend:
              service:
                name: istio-ingressgateway
                port:
                  number: 80

  tls:
    - hosts:
        - my-hostname
      secretName: my-hostname-secret

Virtual Service:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: api-management
spec:
  hosts:
  - 'my-hostname'
  gateways:
  - api-gateway
  http:
    - match:
      - uri:
          prefix: '/'
      route:
        - destination:
            host: internal-container-loadbalancer
            port:
              number: 8080


---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: internal-container
spec:
  host: internal-container-loadbalancer
  subsets:
    - name: internal-container
      labels:
        app: internal-container

and finally: Peer Authentication

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: default
spec:
  mtls:
    mode: STRICT

The ingress service, is using letsencrypt to generate a tls certificate and key. i have those in kubernetes under secrets/tls and all good. But when i try to visit the my-hostname i get a 502 Bad Gateway. Something is wrong in my configuration and i have been looking and debugging this for days now and i cannot see what is wrong.

What i am trying to accomplish?

I want the gateway to be able to route the traffic based on the path to different internal containairs. For now i am using this with only one container, but in the future i waould like to expand this to multiple internal containers.

Thank you so much for any help you can provide or clarification

Answer 1

The advice from kira1kira aligns with best practices for deploying applications with Istio. To configure an Istio Gateway with mTLS to securely route external traffic to a .NET application hosted in your AKS cluster.

First, ensure Istio is installed in your cluster. You can enable it either while setting up the cluster in azure by enabling istio internal and external ingress checkbox in the azure portal or use istioctl, the official installation tool for Istio.

Download istioctl

curl -L https://istio.io/downloadIstio | sh -
cd istio-*/
export PATH=$PWD/bin:$PATH

Install

istioctl install --set profile=demo -y

Ensure no conflicting Ingress Controllers i.e. If Nginx is not needed, consider removing or disabling the Nginx Ingress Controller to prevent any overlap in traffic management.

Next, ensure your deployment is configured for sidecar injection, and deploy your .NET application and its service.

examples of

Deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: dotnet-app
  namespace: default
spec:
  selector:
    matchLabels:
      app: dotnet-app
  replicas: 1
  template:
    metadata:
      labels:
        app: dotnet-app
    spec:
      containers:
      - name: dotnet-app
        image: mcr.microsoft.com/dotnet/samples:aspnetapp
        ports:
        - containerPort: 80

Service for the application

apiVersion: v1
kind: Service
metadata:
  name: dotnet-service
  namespace: default
spec:
  selector:
    app: dotnet-app
  ports:
  - protocol: TCP
    port: 8080
    targetPort: 80

Now that your application is deployed, set up Istio's Gateway, VirtualService, and DestinationRule to handle traffic i.e. configure Gateway

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: dotnet-gateway
  namespace: default
spec:
  selector:
    istio: ingressgateway-external-asm-1-20  # Adjust the selector to target the specific Istio ingress gateway you have
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    hosts:
    - "my-hostname.example.com"
    tls:
      mode: MUTUAL
      credentialName: my-hostname-secret  # Make sure the secret exists and is valid

Create a VirtualService

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: dotnet-virtualservice
  namespace: default
spec:
  hosts:
  - "my-hostname.example.com"
  gateways:
  - dotnet-gateway
  http:
  - match:
      - uri:
          prefix: "/"
    route:
    - destination:
        host: dotnet-service
        port:
          number: 8080

Configure Destination Rule

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: dotnet-destination
  namespace: default
spec:
  host: dotnet-service
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL

Setup mTLS with PeerAuthentication

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: default
spec:
  mtls:
    mode: STRICT

Apply all these files using kubectl apply -f <filename.yaml>

You can navigate to https://<your-hostname.example.com> in a web browser or using curl. Ensure the DNS is properly configured to resolve to the external IP address of your Istio Ingress Gateway.