In public clouds, when deploying a Kubernetes service that is of type: LoadBalancer, an IP address is automatically assigned that is accessible over the Internet (public). In order to prevent that and assign an IP address that can only be accessed on the internal network the cluster is deployed on, one needs to add an annotation to the service definition. Each cloud has its own configuration and annotation for opting out of public IPs. The same is true when creating an ingress gateway service on Istio during Tanzu Service Mesh cluster onboarding. As a result, if a cluster is onboarded to Tanzu Service Mesh in a cloud, whether it is AWS, Azure or GCP, it is automatically configured with an internet facing IP address. During cluster onboarding, Tanzu Service Mesh allows customers to make a cluster private in the cloud by checking a box or using the API to prevent it from being exposed to the internet. On cluster onboarding, this would apply the appropriate configuration to the cloud automatically, ensuring that only an internal IP address is configured and that the gateway is not exposed to the internet.

Prerequisites

Verify that the following prerequisites are met:

  • For setting a cluster GW as "private", the cluster must already be onboarded, and the API call simply updates the Ingress service configuration with the appropriate annotations for the cloud on which the cluster resides. For more information about onboarding a cluster, see Onboard a Cluster to Tanzu Service Mesh.

  • You know the Kubernetes namespaces in your clusters that hold the services of your application. These are the namespaces where the istio-injection=enabled label has been set to enable automatic sidecar injection.

  • You have an API token and an access code to authenticate your requests to the Tanzu Service Mesh API. You must use the access code in the csp-auth-token header in your requests. For information about generating an API token and getting an access code, see Authentication with the Tanzu Service Mesh REST API.

Procedure

  1. Submit the following request while onboarding a cluster.
    POST https://{server_name}/tsm/v1alpha2/projects/default/clusters

    Request Body

       {
      "displayName": "string",
      "description": "string",
      "tags": [
        "string"
      ],
      "labels": [
        {
          "key": "string",
          "value": "string"
        }
      ],
      "autoInstallServiceMeshConfig": {
        "restrictDefaultExternalAccess": true
      },
      "registryAccount": "string",
      "caLabels": [
        {
          "key": "string",
          "value": "string"
        }
      ],
      "enableNamespaceExclusions": false,                                        
      "namespaceExclusions": [],
      "proxyConfig": {
        "proxy": "Explicit",
        "protocol": "HTTP",
        "host": "string",
        "port": 0,
        "username": "string",
        "password": "string",
        "certificate": "string"
      },
      "autoInstallServiceMeshConfig": {
        "restrictDefaultExternalAccess": true
      },
      "registryAccount": "string",
      "caLabels": [
        {
          "key": "string",
          "value": "string"
        }
      ],
      "enableInternalGateway": true,   # NEW PARAMETER
      "enableNamespaceInclusions": true,
      "namespaceInclusions": [{
          "match": "prod-cluster",
          "type": "EXACT"
        }, 
        {"match": "acme",
          "type": "START_WITH"
        },]
    }
    
    Table 1. Request Body Properties

    Property

    Data type

    Required/Optional

    Description

    enableInternalGateway

    Boolean

    Required

    Specifies whether to enable the private ingress gateway when the cluster is onboarded. This allows the users to add dedicated gateways for internal traffic. To enable the internal gateway, set this parameter to true. To deactivate internal gateway, set the parameter to false.

  2. Submit the following request to update the public service in the global namespace.
    PUT https://{server_name}/tsm/v1alpha2/projects/default/global-namespaces/{gnsId}/public-service/{fqdn}

    Request Body

       
      {
      "fqdn": "string",
      "name": "string",
      "ingress_on_private_gateways": true, # NEW PARAMETER
      "external_port": 0,
      "external_protocol": "HTTP",
      "ttl": 0,
      "public_domain": {
        "external_dns_id": "string",
        "primary_domain": "string",
        "sub_domain": "string",
        "certificate_id": "string"
      },
      "ha_policy": "string",
      "gslb": {
        "type": "ROUND_ROBIN",
        "weighted_policy": {
          "label_to_weight": [
            {
              "label_value": "string",
              "weight": 0
            }
          ]
        },
        "failover_policy": {
          "active_group": {
            "label_values": [
              "string"
            ],
            "type": "ROUND_ROBIN",
            "weighted_policy": {
              "label_to_weight": [
                {
                  "label_value": "string",
                  "weight": 0
                }
              ]
            }
          },
          "passive_group": {
            "label_values": [
              "string"
            ],
            "type": "ROUND_ROBIN",
            "weighted_policy": {
              "label_to_weight": [
                {
                  "label_value": "string",
                  "weight": 0
                }
              ]
            }
          }
        }
      },
      "wildcard_certificate_id": "string",
      "healthcheck_ids": [
        "string"
      ]
    }
    
    Table 2. Request Body Properties

    Property

    Data type

    Required/Optional

    Description

    ingress_on_private_gateways

    Boolean

    Required

    Specifies whether to enable the private ingress gateway when the global namespace is created. This allows the users to add dedicated gateways for internal traffic. To enable the internal gateway, set this parameter to true. To deactivate internal gateway, set the parameter to false.

    For a detailed list of request body parameters while creating a global namespace, see Create a Global Namespace.

Results

If the private IP support was enabled successfully and the cluster is onboarded successfully using POST request, the response header from the Tanzu Service Mesh REST API contains a status code of 200. The response includes the code and display_name.

Similarly, if the public service was updated successfully using a PUT request, you get a success code of 200 public service updated.

Important:

Route53/Public service is not supported with Private IP. The recommended Avi is GSLB.

Example: Request to Enable Private IP Address Support

Submit the following request to enable private IP support on a cluster by setting enableInternalGateway to true.

POST https://sample-server.servicemesh.biz/tsm/v1alpha2/projects/default/clusters

Use the following properties in the request body.

{
  "displayName": "string",
  "description": "string",
  "tags": [
    "string"
  ],
  "labels": [
    {
      "key": "string",
      "value": "string"
    }
  ],
  "autoInstallServiceMesh": true,
  "enableNamespaceExclusions": false,
  "namespaceExclusions": [ ],
  "proxyConfig": {
    "proxy": "Explicit",
    "protocol": "HTTP",
    "host": "string",
    "port": 0,
    "username": "string",
    "password": "string",
    "certificate": "string"
  },
  "autoInstallServiceMeshConfig": {
    "restrictDefaultExternalAccess": true
  },
  "registryAccount": "string",
  "caLabels": [
    {
      "key": "string",
      "value": "string"
    }
  ],
  "enableInternalGateway": true
  "enableNamespaceInclusions": true,
  "namespaceInclusions": [{
      "match": "prod-cluster",
      "type": "EXACT"
    }, 
    {"match": "acme",
      "type": "START_WITH"
    },]
}