Gateway Group

Gateway Groups allow grouping the gateways in a set of namespaces owned by its parent workspace. Gateway related configurations can then be applied on the group to control the behavior of these gateways. The group can be in one of two modes: BRIDGED and DIRECT. BRIDGED mode is a minimalistic mode that allows users to quickly configure the most commonly used features in the service mesh using Tetrate specific APIs, while the DIRECT mode provides more flexibility for power users by allowing them to configure the gateways’s traffic and security properties using a restricted subset of Istio Networking and Security APIs.

The following example creates a gateway group for the gateways in ns1, ns2 and ns3 namespaces owned by its parent workspace w1 under tenant mycompany

apiVersion: gateway.tsb.tetrate.io/v2
kind: Group
metadata:
  name: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "*/ns1"
    - "*/ns2"
    - "*/ns3"
  configMode: BRIDGED

It is possible to create a gateway group for namespaces in a specific cluster as long as the parent workspace owns those namespaces in that cluster. For example,

apiVersion: gateway.tsb.tetrate.io/v2
kind: Group
metadata:
  name: g1
  workspace: w1
  tenant: mycompany
  organization: myorg
spec:
  namespaceSelector:
    names:
    - "c1/ns1" # pick ns1 namespace only from c1 cluster
    - "*/ns2"
    - "*/ns3"
  configMode: BRIDGED

In the DIRECT mode, it is possible to directly attach Istio Networking v1beta1 APIs - VirtualService, and Gateway, and Istio Security v1beta1 APIs - RequestAuthentication, and AuthorizationPolicy to the gateway group. These configurations will be validated for correctness and conflict free operations and then pushed to the appropriate Istio control planes.

The following example declares a Gateway and a VirtualService for a specific workload in the ns1 namespace:

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: ingress
  namespace: ns1
  annotations:
    tsb.tetrate.io/organization: myorg
    tsb.tetrate.io/tenant: mycompany
    tsb.tetrate.io/workspace: w1
    tsb.tetrate.io/gatewayGroup: g1
spec:
  selector:
      app: my-ingress-gateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - uk.bookinfo.com
    - eu.bookinfo.com

and the associated VirtualService

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: ingress-rule
  namespace: ns1
  annotations:
    tsb.tetrate.io/organization: myorg
    tsb.tetrate.io/tenant: mycompany
    tsb.tetrate.io/workspace: w1
    tsb.tetrate.io/gatewayGroup: g1
spec:
  hosts:
  - uk.bookinfo.com
  - eu.bookinfo.com
  gateways:
  - ns1/ingress # Has to bind to the same gateway
  http:
  - route:
    - destination:
        port:
          number: 7777
        host: reviews.ns1.svc.cluster.local

The namespace where the Istio APIs are applied will need to be part of the parent gateway group. In addition, each API object will need to have annotations to indicate the organization, tenant, workspace and the gateway group to which it belongs to.

Group

A gateway group manages the gateways in a group of namespaces owned by the parent workspace.