Gateway DNS configuration for routes attached to a ingress gateway¶
This user guide walks you through an example of how to configure DNS for all routes attached to an ingress gateway.
Requisites¶
Setup the environment¶
Follow this setup doc to set up your environment before continuing with this doc.
Create a namespace:
Export a root domain and hosted zone id:
Note: ROOT_DOMAIN should be set to your AWS hosted zone name.
Create a dns provider secret¶
Create AWS provider secret. You should limit the permissions of this credential to only the zones you want us to access.
export AWS_ACCESS_KEY_ID=<AWS_ACCESS_KEY_ID> AWS_SECRET_ACCESS_KEY=<AWS_SECRET_ACCESS_KEY>
kubectl -n my-gateways create secret generic aws-credentials \
--type=kuadrant.io/aws \
--from-literal=AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
--from-literal=AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
Create an ingress gateway¶
Create a gateway using your ROOT_DOMAIN as part of a listener hostname:
kubectl -n my-gateways apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: prod-web
spec:
gatewayClassName: istio
listeners:
- allowedRoutes:
namespaces:
from: All
name: api
hostname: "*.$ROOT_DOMAIN"
port: 80
protocol: HTTP
EOF
Check gateway status:
Response:
Enable DNS on the gateway¶
Create a Kuadrant DNSPolicy to configure DNS:
kubectl -n my-gateways apply -f - <<EOF
apiVersion: kuadrant.io/v1
kind: DNSPolicy
metadata:
name: prod-web
spec:
targetRef:
name: prod-web
group: gateway.networking.k8s.io
kind: Gateway
EOF
Check policy status:
Response:
Deploy a sample API to test DNS¶
Deploy the sample API:
kubectl -n my-gateways apply -f examples/toystore/toystore.yaml
kubectl -n my-gateways wait --for=condition=Available deployments toystore --timeout=60s
Route traffic to the API from our gateway:
kubectl -n my-gateways apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: toystore
spec:
parentRefs:
- name: prod-web
namespace: my-gateways
hostnames:
- "*.$ROOT_DOMAIN"
rules:
- backendRefs:
- name: toystore
port: 80
EOF
Verify a DNSRecord resource is created:
Verify DNS works by sending requests¶
Verify DNS using dig:
Response:
Verify DNS using curl:
Response:
{
"method": "GET",
"path": "/",
"query_string": null,
"body": "",
"headers": {
"HTTP_HOST": "api.$ROOT_DOMAIN",
"HTTP_USER_AGENT": "curl/7.85.0",
"HTTP_ACCEPT": "*/*",
"HTTP_X_FORWARDED_FOR": "10.244.0.1",
"HTTP_X_FORWARDED_PROTO": "http",
"HTTP_X_ENVOY_INTERNAL": "true",
"HTTP_X_REQUEST_ID": "9353dd3d-0fe5-4404-86f4-a9732a9c119c",
"HTTP_X_ENVOY_DECORATOR_OPERATION": "toystore.my-gateways.svc.cluster.local:80/*",
"HTTP_X_ENVOY_PEER_METADATA": "ChQKDkFQUF9DT05UQUlORVJTEgIaAAoaCgpDTFVTVEVSX0lEEgwaCkt1YmVybmV0ZXMKHQoMSU5TVEFOQ0VfSVBTEg0aCzEwLjI0NC4wLjIyChkKDUlTVElPX1ZFUlNJT04SCBoGMS4xNy4yCtcBCgZMQUJFTFMSzAEqyQEKIwoVaXN0aW8uaW8vZ2F0ZXdheS1uYW1lEgoaCHByb2Qtd2ViChkKDGlzdGlvLmlvL3JldhIJGgdkZWZhdWx0CjMKH3NlcnZpY2UuaXN0aW8uaW8vY2Fub25pY2FsLW5hbWUSEBoOcHJvZC13ZWItaXN0aW8KLwojc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtcmV2aXNpb24SCBoGbGF0ZXN0CiEKF3NpZGVjYXIuaXN0aW8uaW8vaW5qZWN0EgYaBHRydWUKGgoHTUVTSF9JRBIPGg1jbHVzdGVyLmxvY2FsCigKBE5BTUUSIBoecHJvZC13ZWItaXN0aW8tYzU0NWQ4ZjY4LTdjcjg2ChoKCU5BTUVTUEFDRRINGgtteS1nYXRld2F5cwpWCgVPV05FUhJNGktrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvbXktZ2F0ZXdheXMvZGVwbG95bWVudHMvcHJvZC13ZWItaXN0aW8KFwoRUExBVEZPUk1fTUVUQURBVEESAioACiEKDVdPUktMT0FEX05BTUUSEBoOcHJvZC13ZWItaXN0aW8=",
"HTTP_X_ENVOY_PEER_METADATA_ID": "router~10.244.0.22~prod-web-istio-c545d8f68-7cr86.my-gateways~my-gateways.svc.cluster.local",
"HTTP_X_ENVOY_ATTEMPT_COUNT": "1",
"HTTP_X_B3_TRACEID": "d65f580db9c6a50c471cdb534771c61a",
"HTTP_X_B3_SPANID": "471cdb534771c61a",
"HTTP_X_B3_SAMPLED": "0",
"HTTP_VERSION": "HTTP/1.1"
},
"uuid": "0ecb9f84-db30-4289-a3b8-e22d4021122f"
}