How to Make Your Kubernetes Services Accessible outside Kubernetes with Tetrate

April 7, 2025 2:20 pm | 0 comments

— Raghav Patel, SRE, MPL

Welcome to Tech Talk, where our tech experts break down complex concepts into digestible guides — from cloud technologies and microservices to software development and automation. Our insights draw from real-world experience building one of India’s leading skill-gaming apps.

In today’s post, we’ll walk through a practical guide on how to make your Kubernetes-based applications accessible to users outside your cluster, using Tetrate’s Ingress Gateway. Whether you’re running a small app or managing a large-scale infrastructure, this step-by-step tutorial will show you how to safely and efficiently connect your services to the internet.

In this demonstration, we’ll use AWS-managed Kubernetes service EKS to run our Kubernetes cluster. Also in this post we’ll only focus on install and configure the Ingress gateway and assumed that we’ve already running Kubernetes cluster and installed Tetrate Service Bridge(Enterprice Istio Solution)

For those unfamiliar with Tetrate, you can refer to the official documentation. Tetrate serves as an enterprise solution for Istio, providing powerful features for managing and securing microservices in Kubernetes environments.

Prerequisites

Before delving into the setup of the Ingress Gateway in Tetrate, it’s essential to familiarize ourselves with key terminologies that will be integral to the configuration process. These terminologies are employed during the Ingress Gateway setup.

Organization

In the Tetrate Service Bridge (TSB), an organization is the designation given to a corporation that shares a common infrastructure. It serves as the overarching entity managing all individual teams within the corporation.

Tenant

A tenant represents a group within an organization, such as a team or department. Tenants share organizational resources and possess specific privileges, including read and write access. This structure allows for the effective management of resources among different groups within the organization.

Workspace

A workspace acts as a meticulously partitioned zone where teams exclusively manage their namespaces. It serves as the centralized area for maintaining all service mesh-related configurations associated with a team’s namespaces. This spans across various Virtual Machines and Kubernetes clusters.

Group

A group is a logical consolidation of resources within a workspace. It can take the form of a gateway, traffic, or security group, providing a systematic way to organize and manage these resources for streamlined service mesh configuration.

Now that we have a grasp of the essential terminologies within Tetrate Service Bridge required for setting up the Ingress Gateway, let’s proceed with the assumption that our readers have already established the Organization, Tenant, and Workspace. In this demonstration, our primary focus will be on the creation of Groups. Within these Groups, we will specifically delve into the process of crafting the Ingress Gateway resource.

Create the namespace

To create the namespace, where we’ll install all the Ingress Resouces, Run the following command:

kubectl create ns ingress-gateway

Setup Groups

To create the TSB resource group, utilize the following command , which creates the TSB group. Replace the placeholder values with your specific information.

cat <<EOF > ingress-gateway-group.yaml
apiVersion: gateway.tsb.tetrate.io/v2
kind: Group
metadata:
  organization: <org-name> #<--Put your organization name here
  tenant: <tenant-name> #<--Put your tenant name here
  workspace: <workspace-name> #<--Put your workspace name here
  name: ingress-gateway-group #<--Give the name of group
spec:
  namespaceSelector:
    names:
      - "*/ingress-gateway" #ingress-gateway is namespace where we'll deploy ingress-gateway pod.
  configMode: BRIDGED
EOF

After replacing the placeholders with meaningful values, execute the following tctl command to create the group:

tctl apply -f ingress-gateway-group.yaml

After the group is successfully created, you can verify its existence by logging into the TSB console.

Install Tetrate Ingress Gateway

Now that we have set up the TSB resource group, the next step is to install the Ingress Gateway resource within that group. The following command generates a YAML file for the Ingress Gateway Resource:

cat <<EOF > install-ingress-gateway.yaml
apiVersion: install.tetrate.io/v1alpha1
kind: IngressGateway
metadata:
  name: ingress-gateway 
  namespace: ingress-gateway
spec:
  kubeSpec:
    deployment:
      hpaSpec:
        maxReplicas: 10
        metrics:
        - resource:
            name: cpu
            targetAverageUtilization: 70
          type: Resource
        minReplicas: 1
      replicaCount: 1
      resources:
        limits:
          cpu: 1000m
          memory: 2Gi
        requests:
          cpu: 700m
          memory: 128Mi
      strategy:
        rollingUpdate:
          maxUnavailable: 0
        type: RollingUpdate
    service:
      annotations:
        service.beta.kubernetes.io/aws-load-balancer-name: "ingress-gateway"
      ports:
      - name: mtls
        port: 15443
        targetPort: 15443
      - name: http2
        port: 80
        targetPort: 8080
      - name: https
        port: 443
        targetPort: 8443
      type: LoadBalancer
EOF

Here are some details about the YAML file to help you understand its components:

spec.kubeSpec.deployment: This is a Kubernetes specification for the ingress-gateway pod. You can adjust the Horizontal Pod Autoscaler (hpa) settings, such as the maximum and minimum replicas, metrics for scaling, and resource limits like CPU and memory.
service.annotations: These are annotations applied to the Kubernetes service for the ingress-gateway pod.
service.ports: These are the ports defined for the Kubernetes service, and these ports are also exposed to the load balancers.

Run below command to create the ingress-gateway resources:

kubectl apply -f install-ingress-gateway.yaml

Verify the Successful Creation of Ingress-Gateway Resources

To confirm that the ingress-gateway resources have been successfully created, run the following command:

kubectl get all -n ingress-gateway

The output should resemble the following:

NAME                                   READY   STATUS    RESTARTS   AGE
pod/ingress-gateway-685b885bd6-9vmbm   1/1     Running   0          18s

NAME                      TYPE           CLUSTER-IP      EXTERNAL-IP                                                                PORT(S)              AGE
service/ingress-gateway   LoadBalancer   172.20.170.40   aed1c8e12e0fe43b3924f26a95875985-1982569114.ap-south-1.elb.amazonaws.com   15443:30433/TCP,80:31919/TCP,443:31337/TCP   18sNAME                              READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/ingress-gateway   1/1     1            1           18sNAME                                         DESIRED   CURRENT   READY   AGE
replicaset.apps/ingress-gateway-685b885bd6   1         1         1       18sNAME                                                  REFERENCE                    TARGETS         MINPODS   MAXPODS   REPLICAS   AGE
horizontalpodautoscaler.autoscaling/ingress-gateway   Deployment/ingress-gateway   <unknown>/70%   1         10        1          18s

Now that we have installed the Ingress-Gateway resource in the namespace ingress-gateway, it is ready for configuration to handle routing. Moving forward, we will configure the routing for all traffic coming to the ingress gateway at port 80 with the hostname helloworld.example.com routed to the helloworld service in the namespace sample.

Configure Routing of Ingress-gateway

To set up the routing for the Ingress-Gateway, use the following YAML configuration file:

apiVersion: gateway.tsb.tetrate.io/v2
kind: IngressGateway
metadata:
  organization: <org-name> #<--Put your organization name here
  tenant: <tenant-name> #<--Put your tenant name here
  workspace: <workspace-name> #<--Put your workspace name here
  group: ingress-gateway-group #<--Group Name which we created earlier
  name: ingress-gateway #<--Name of IngressGateway 
spec:
  workloadSelector:  #<-- workloadSelector will select the Ingress Gateway pod which we created in the previous step
    namespace: ingress-gateway
    labels:
      app: ingress-gateway #By default, the app: label will be created to the pod of ingress-gateway, check your pod to verify.
  http:
    - name: helloworld #<-- Just a name of route, it could be any identical name
      port: 80 #<--port of Ingress-Gateway where the client will send the traffic
      hostname: helloworld.example.com #<--host header in the client request
      routing:
        rules:
          - route:
              host: "sample/helloworld.sample.svc.cluster.local" #<-- Full DNS name Kubernetes service following by namespace, where traffic should be routed.
              port: 5000 #<-- Port Number of helloworld service

To apply this configuration, run the following command:

tctl apply -f configure-ingress-gateway.yaml

If the command runs successfully, Tetrate accepts the Ingress-Gateway configuration, and it will create all the necessary components in the control-plane. Now, the gateway is ready to accept traffic from outside the Kubernetes cluster.

To access the helloworld service, create the DNS entry helloworld.example.com pointing to our Ingress-Gateway load balancer URL.

Congratulations!!

By following the above steps, you can create the Tetrate Ingress Gateway and expose your Kubernetes services outside of the Kubernetes cluster.

References:

https://docs.tetrate.io/service-bridge/refs/tsb/gateway/v2/ingress_gateway

https://docs.tetrate.io/service-bridge/quickstart/ingress_gateway

← Empowering Fair Competition: Skill-Based Matchmaking at MPL Beyond the Numbers: The Role of Data in Building Better Games →