Login 24/7 Support Community

As an Ingress with Istio Service Mesh

Introduction

Utilising Tyk for API Management at the edge ingress or egress of a service mesh is a common use case. You’ll cover here how to set up Tyk as an Ingress alongside Istio acting as a service mesh for the upstream services. This opens up the ability to use the powerful API gateway and API management capabilities of Tyk, giving you the benefit of Istio for East-West traffic and Tyk for north-south traffic.

Each Tyk Ingress Gateway will have a sidecar that intercepts the traffic on the internal mesh side and so can offload responsibility for certificate management and mutual TLS to Istio.

Prerequisites

A Kubernetes cluster and Kubectl.

Optional but recommended: Tyk Operator for managing our API management resources in the Gateway (API Definitions and Security Policies) and for managing Ingress and TLS Certifications for the Ingress using Certmanager if required. This guide includes declaratively deploying an API with the Operator once you have Tyk installed as our Istio Ingress.

Istioctl command line tool on your machine.

Setup Istio

Install istioctl so you can deploy the Istio control plane, IstioD.

You will not need to install the Istio ingress gateway instances since this will be managed by your Tyk Gateway.

For this example lets Install IstioD control plane with:

 istioctl install --set profile=minimal -y

or if you want to allow egress traffic to the internet for now from inside the mesh:

istioctl install --set profile=minimal -y --set meshConfig.outboundTrafficPolicy.mode=ALLOW_ANY

You should see

✔ Istio core installed
✔ Istiod installed
✔ Installation complete

You can check IstioD is up and running with kubectl -n istio-system get deploy and should see something like:

NAME     READY   UP-TO-DATE   AVAILABLE   AGE
istiod   1/1     1            1           1m

Install Tyk on Istio with Helm

Before you install Tyk add your Tyk namespace where your Tyk Gateway, API Dashboard and Pump are installed to the injected namespaces for Istio. (This demo will also inject sidecars on our Redis and MongoDB - these would normally be recommended to install outside your cluster).

kubectl create namespace tyk

followed by

kubectl label namespace tyk istio-injection=enabled

Install the Tyk setup of your choice from Tyk’s Helm charts on our GitHub pages. This guide assumes the use of the quickstart Tyk Pro installation.

From the tyk-helm-chart repo folder:

Install Mongo:

kubectl apply -f deploy/dependencies/mongo.yaml -n tyk

Install Redis:

kubectl apply -f deploy/dependencies/redis.yaml -n tyk

Ensure that in the values.yaml file the top-level setting gateway.enableIstioIngress: true . This will enable you to reach the Dashboard API manager and the API Gateways from outside the cluster. Also input your Tyk license into the values.yaml.

Then run helm install:

helm install tyk-pro -f ./values.yaml ./tyk-pro -n tyk --wait

When up and running you should see the Tyk pods with their sidecars.

NAME                                 READY   STATUS    RESTARTS   AGE
dashboard-tyk-pro-78fdc5d8cb-88dqx   2/2     Running   0          70s
gateway-tyk-pro-m9kd8                2/2     Running   0          70s
mongo-7fb8b5459c-88k6z               2/2     Running   0          94s
pump-tyk-pro-67dc9f5695-gn9vz        2/2     Running   0          70s
redis-db9784c88-qwcdw                2/2     Running   0          89s

Get your login details for the dashboard by running the commands returned in the Helm notes file after successful Helm install:

Username:

kubectl get secret --namespace tyk tyk-login-details -o jsonpath="{.data.TYK_USER}" | base64 --decode

and password:

kubectl get secret --namespace tyk tyk-login-details -o jsonpath="{.data.TYK_PASS}" | base64 --decode

Navigate to your Tyk Dashboard endpoint to login. In this case on Minikube/Kind or Docker Desktop it would be on localhost along with a NodePort.

dashboard-svc-tyk-pro   NodePort    10.101.9.66     <none>        3000:30315/TCP   22s

You need a service inside our service mesh to proxy to and we include a sample httpbin service you can use. Of course any services will work such as the bookinfo demo used by Istio.

Deploy the httpbin service inside an injected namespace i.e. default with:

kubectl label namespace default istio-injection=enabled

then:

kubectl apply -f samples/httpbin.yaml

Tyk on Istio: Deploy an API with The Dashboard UI

Once logged in to the dashboard follow one of our guides on the Tyk docs.

https://www.tyk.io/docs/tyk-cloud/getting-started-tyk-cloud/first-api/

This Tyk Cloud guide works similarly for self-managed - remember to tag your API “ingress” so it will be loaded in the Ingress Gateway.

Tyk on Istio: Deploy an API declaratively with the Tyk Operator

Our Tyk Pro install has helpfully seeded a secret for us to use to connect your Tyk Operator to the API Management Dashboard.

You can go and do this from the guides on the Tyk Operator Docs

For this guide you will deploy the Operator in the same namespace as our existing components. The Tyk Operator can be deployed in another namespace if needed and be instructed to watch any namespaces.

You can view our populated Operator secret details with:

kubectl get secret/tyk-operator-conf -n tyk -o json | jq '.data'
{
  "TYK_AUTH": "OTY1MTZjODVmMGUyNGUyNjYwNGI4ZWJmMzZjOGYyMTg=",
  "TYK_MODE": "cHJv",
  "TYK_ORG": "NjAzYTBmZGI3MWE5ZjAwMDAxNTNjMzg1",
  "TYK_URL": "aHR0cDovL2Rhc2hib2FyZC1zdmMtdHlrLXByby50eWsuc3ZjLmNsdXN0ZXIubG9jYWw6MzAwMA=="
}

Now either clone or checkout the Tyk Operator repo as you’ll be working from there for the rest of this guide.

Once in the Tyk Operator directory firstly install the CRDs you need:

kubectl apply -f ./helm/crds
customresourcedefinition.apiextensions.k8s.io/apidefinitions.tyk.tyk.io configured
customresourcedefinition.apiextensions.k8s.io/securitypolicies.tyk.tyk.io configured
customresourcedefinition.apiextensions.k8s.io/webhooks.tyk.tyk.io configured

Next install certmanager for the Tyk Gateway server certs:

kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.3/cert-manager.yaml

And deploy the Operator itself:

helm install tyk-op -f ./config/samples/istio/values.yaml ./helm -n tyk

Now you can apply our API definition to create the proxy configuration for the Gateway in front of the httpbin service we deployed into our mesh:

cat <<EOF | kubectl create -n tyk -f -
apiVersion: tyk.tyk.io/v1alpha1
kind: ApiDefinition
metadata:
  name: httpbin
spec:
  name: httpbin
  use_keyless: true
  tags:
    - ingress
  protocol: https
  active: true
  proxy:
    target_url: http://httpbin.default.svc.cluster.local:8000
    listen_path: /httpbin
    strip_listen_path: true
EOF

You can now send a request to the httpbin service inside our mesh:

curl https://localhost:30598/httpbin/get -k
{
  "args": {},
  "headers": {
    "Accept": "*/*",
    "Accept-Encoding": "gzip",
    "Content-Length": "0",
    "Host": "httpbin.default.svc.cluster.local:8000",
    "User-Agent": "curl/7.54.0",
    "X-B3-Parentspanid": "eef815d5f368e0c1",
    "X-B3-Sampled": "0",
    "X-B3-Spanid": "0c65b076de84c027",
    "X-B3-Traceid": "ddf6ff2e7c053b61eef815d5f368e0c1",
    "X-Envoy-Attempt-Count": "1",
    "X-Envoy-Internal": "true",
    "X-Forwarded-Client-Cert": "By=spiffe://cluster.local/ns/default/sa/default;Hash=b2e9d4431e31dd6a54d6a21c9cbcd5f0aa55d45f2ddcd5e8aae3ac7ea73ee66b;Subject=\"\";URI=spiffe://cluster.local/ns/tyk/sa/default"
  },
  "origin": "192.168.65.3",
  "url": "http://httpbin.default.svc.cluster.local:8000/get"
}