Deploy Istio Egress Gateway After Installation

推荐超级课程：

• 本地离线DeepSeek AI方案部署实战教程【完全版】
• Docker快速入门到精通
• Kubernetes入门到大师通关课
• AWS云服务快速入门实战

Posted 1 year ago by Thomas Stringer

When working with Istio, it’s common to kick off a new installation with the default profile:

| <br> | <br> | | --- | --- | | 123456 | $ istioctl install -y✔ Istio core installed ✔ Istiod installed ✔ Ingress gateways installed ✔ Installation complete Making this installation the default for injection and validation. |

As you can see, Istio installed an ingress gateway:

| <br> | <br> | | --- | --- | | 123 | $ kubectl get po -A -l istio=ingressgatewayNAMESPACE NAME READY STATUS RESTARTS AGEistio-system istio-ingressgateway-677f4f9cc4-xks8k 1/1 Running 0 59s |

But there is no egress gateway from this profile:

| <br> | <br> | | --- | --- | | 12 | $ kubectl get po -A -l istio=egressgatewayNo resources found |

This is because the default profile doesn’t have it enabled (kubectl get io -n istio-system installed-state -o yaml):

| <br> | <br> | | --- | --- | | 12345678910111213 | apiVersion: install.istio.io/v1alpha1kind: IstioOperatormetadata: name: installed-state namespace: istio-systemspec: profile: default components: egressGateways: - enabled: false name: istio-egressgateway# Rest of configuration removed for brevity... |

In the event that you do want the egress gateway, though, you just need to create another IstioOperator:

| <br> | <br> | | --- | --- | | 123456789101112131415161718 | apiVersion: install.istio.io/v1alpha1kind: IstioOperatormetadata: name: egress namespace: istio-systemspec: profile: empty values: gateways: istio-egressgateway: injectionTemplate: gateway components: egressGateways: - name: istio-egressgateway namespace: istio-system enabled: true label: istio: egressgateway |

Here we specify the “empty” profile, because we don’t need the control plane or any CRDs installed with this (they are already there!). But we do add the egress gateway by specifying it’s name and label (and enabled: true). Then we specify the injectionTemplate to be set to template. Once this manifest is created, we can install it similar to how we did the initial installation, but this time passing this file:

| <br> | <br> | | --- | --- | | 123 | $ istioctl install -y -f ./istio-egress.yaml✔ Egress gateways installed✔ Installation complete |

Just like with any other installation, it is a good idea to verify this afterwards:

| <br> | <br> | | --- | --- | | 123456789101112 | $ istioctl verify-install -f ./istio-egress.yaml✔ HorizontalPodAutoscaler: istio-egressgateway.istio-system checked successfully✔ Deployment: istio-egressgateway.istio-system checked successfully✔ PodDisruptionBudget: istio-egressgateway.istio-system checked successfully✔ Role: istio-egressgateway-sds.istio-system checked successfully✔ RoleBinding: istio-egressgateway-sds.istio-system checked successfully✔ Service: istio-egressgateway.istio-system checked successfully✔ ServiceAccount: istio-egressgateway-service-account.istio-system checked successfully✔ IstioOperator: egress.istio-system checked successfullyChecked 0 custom resource definitionsChecked 1 Istio Deployments✔ Istio is installed and verified successfully |

And now we should see our egress gateway in the cluster!

| <br> | <br> | | --- | --- | | 123 | $ kubectl get po -A -l istio=egressgatewayNAMESPACE NAME READY STATUS RESTARTS AGEistio-system istio-egressgateway-5bf66588fc-kqdvh 1/1 Running 0 88s |

Hopefully this blog post has helped you how you can install the Istio egress gateway even after the initial service mesh installation!