How to set AWS ALB instead of ELB in Istio?

Question

I am trying to setup ALB load balancer instead of default ELB loadbalancer in Kubernetes AWS.The loadbalancer has to be connected to the istio ingressgateway.I looked for solutions and only found one. But the istio version mentioned is V1 and there has been so many changes in istio now.I tried to change service type to nodeport in the chart (according to the blog)but still the service comes as a Loadbalancer.

Can someone mention steps how to configure ALB for istio ingressgateway?

Thanks for reading

Answer 1

Step 1 : Change istioingresssgateway service type as nodeport

Step 2 : Install ALB ingress controller

Step 3 : Write ingress.yaml for istioingressgateway as follows:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  namespace: istio-system
  name: ingress
  labels:
    app: ingress
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/subnets: <subnet1>,<subnet2>
spec:
  rules:
    - http:
        paths:
          - path: /*
            backend:
              serviceName: istio-ingressgateway
              servicePort: 80

alb.ingress.kubernetes.io/subnets annotation can be avoided if you labelled subnet of vpc with :

kubernetes.io/cluster/: owned

kubernetes.io/role/internal-elb: 1 (for internal ELB)

kubernetes.io/role/elb: 1 (for external ELB)

or else you can provide two subnet values and each subnet should be in different availability zone in the above yaml

It worked in Istio 1.6

Answer 2

Current accepted answer is correct. However I would like to give a slight update to it. Once AWS alb controller is installed and configured there are several steps one should take to make it work and be usable:

1. Use istioctl manifest generate command to generate a list of manifests
2. Find istio-ingressgateway service configuration
3. Update it to be of a NodePort type
4. Update ports configuration to have a pre-defined mapping of Node and Target ports. Note the status-port NodePort
5. Apply these manifests instead of installing/updating istio using istioctl install command. In some cases it might be better to rely on istio helm installation though
6. Update ingress configuration to have the following annotations

      alb.ingress.kubernetes.io/healthcheck-port: 'PORT'
      alb.ingress.kubernetes.io/healthcheck-path: /healthz/ready
      alb.ingress.kubernetes.io/healthcheck-protocol: HTTP```
where PORT equals to the istio status-port NodePort value 

This way, you update ALB default configuration for the healthcheck to check Istio healthcheck 

Answer 3

I can confirm solution by tibin_tomy worked for me on Istio 1.7.4. Additionally I used ClusterIP under step 1 instead of NodePort.

Step1 - Change istioingresssgateway service type to ClusterIP (Installing Istio using IstioOperator):

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator

metadata:
  namespace: istio-system
  name:      istio
spec:
  profile: default
  components:
    ingressGateways:
      - name: istio-ingressgateway
        k8s:
          service:
            type: ClusterIP # Disable classic load balancer creation (default), routing to here will be done via Kubernetes Ingress resource

NOTE: Deploy "Ingress" in the same namespace as istio-ingressgateway (istio-system by default). For example if istio-ingressgateway is in namespace istio-system and Ingress is in namespace system, then aws-alb-ingress-controller errors with:

"kubebuilder/controller "msg"="Reconciler error" "error"="failed to reconcile targetGroups due to failed to load serviceAnnotation due to no object matching key "system/istio-ingressgateway" in local store" "controller"="alb-ingress-controller" "request"={"Namespace":"system","Name":"sonata-ingress"}"