How to set AWS ALB instead of ELB in Istio?
Step 1 : Change istioingresssgateway service type as nodeport
Step 2 : Install ALB ingress controller
Step 3 : Write ingress.yaml for istioingressgateway as follows:
apiVersion: extensions/v1beta1kind: Ingressmetadata: namespace: istio-system name: ingress labels: app: ingress annotations: kubernetes.io/ingress.class: alb alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/subnets: <subnet1>,<subnet2>spec: rules: - http: paths: - path: /* backend: serviceName: istio-ingressgateway servicePort: 80
alb.ingress.kubernetes.io/subnets annotation can be avoided if you labelled subnet of vpc with :
kubernetes.io/cluster/: owned
kubernetes.io/role/internal-elb: 1 (for internal ELB)
kubernetes.io/role/elb: 1 (for external ELB)
or else you can provide two subnet values and each subnet should be in different availability zone in the above yaml
It worked in Istio 1.6
Current accepted answer is correct. However I would like to give a slight update to it.Once AWS alb controller is installed and configured there are several steps one should take to make it work and be usable:
- Use
istioctl manifest generate
command to generate a list of manifests - Find
istio-ingressgateway
service configuration - Update it to be of a NodePort type
- Update ports configuration to have a pre-defined mapping of Node and Target ports. Note the
status-port
NodePort - Apply these manifests instead of installing/updating istio using
istioctl install
command. In some cases it might be better to rely on istio helm installation though - Update ingress configuration to have the following annotations
alb.ingress.kubernetes.io/healthcheck-port: 'PORT' alb.ingress.kubernetes.io/healthcheck-path: /healthz/ready alb.ingress.kubernetes.io/healthcheck-protocol: HTTP```where PORT equals to the istio status-port NodePort value This way, you update ALB default configuration for the healthcheck to check Istio healthcheck
I can confirm solution by tibin_tomy worked for me on Istio 1.7.4. Additionally I used ClusterIP under step 1 instead of NodePort.
Step1 - Change istioingresssgateway service type to ClusterIP (Installing Istio using IstioOperator):
apiVersion: install.istio.io/v1alpha1kind: IstioOperatormetadata: namespace: istio-system name: istiospec: profile: default components: ingressGateways: - name: istio-ingressgateway k8s: service: type: ClusterIP # Disable classic load balancer creation (default), routing to here will be done via Kubernetes Ingress resource
NOTE: Deploy "Ingress" in the same namespace as istio-ingressgateway (istio-system by default).For example if istio-ingressgateway is in namespace istio-system and Ingress is in namespace system, then aws-alb-ingress-controller errors with:
"kubebuilder/controller "msg"="Reconciler error" "error"="failed toreconcile targetGroups due to failed to load serviceAnnotation due tono object matching key "system/istio-ingressgateway" in local store""controller"="alb-ingress-controller""request"={"Namespace":"system","Name":"sonata-ingress"}"