Istio Ingress
UDS Core leverages Istio for ingress into the service mesh. This document provides an overview and examples of the Istio resources that UDS Core deploys to handle ingress.
Gateways
UDS Core provides a few Istio Gateway resources to allow ingress into the service mesh. Each one serves a different purpose and can be used to route traffic to different services.
- (Required) Tenant Gateway - This gateway provides ingress to typical end-user applications. By default, UDS Core deploys a few services on this gateway, such as the Keycloak SSO portal. This gateway is typically exposed to end users of the applications deployed on top of UDS Core.
- (Required) Admin Gateway - This gateway provides ingress to admin-related applications that are not for use by the default end user. By default, UDS Core deploys a few services on this gateway, such as the Admin Keycloak interface. This gateway is typically accessible to admins of the applications deployed on top of UDS Core. Since the Admin and Tenant Gateways are logically separated, it is possible to have different security controls on each gateway.
- (Optional) Passthrough Gateway - This gateway allows mesh ingress without TLS termination performed by Istio. This could be useful for applications that need to (or currently) handle their own TLS termination. This gateway used to be a default component of UDS Core but is no longer deployed by default. To deploy this gateway, you must specify
istio-passthrough-gateway
as anoptionalComponent
in your UDS Bundle configuration.
Enable Passthrough Gateway
In order to enable the Passthrough Gateway, you must specify istio-passthrough-gateway
as an optionalComponent
in your UDS Bundle configuration. Here is an example of how to do this:
Configure Domain Name and TLS for Istio Gateways
By default, the UDS Core Istio Gateways are set up to use the uds.dev
(tenant/passthrough) and admin.uds.dev
(admin) domains with valid TLS certificates. You will need to change the domain name for your environment and provide a valid TLS certificate for your domain(s).
You can set the TLS certs via overrides in a UDS Bundle (see below). UDS Core Istio Gateways default to only supporting TLS v1.3, but this can also be overridden per gateway if clients use TLS 1.2 (as seen in the tenant gateway example value
below).
You can then either use environment variables (UDS_ADMIN_TLS_CERT
, UDS_ADMIN_TLS_KEY
, UDS_TENANT_TLS_CERT
, and UDS_TENANT_TLS_KEY
) or a config file to configure the certs for each gateway. These values should be base64 encoded strings of the TLS certificate and key for the admin and tenant gateways respectively.
Domain should be set via your uds-config file using the shared key to override the Zarf Domain Variable (see example uds-config.yaml
below). By default the admin_domain
will be set to admin.<DOMAIN>
but can be overridden to host admin services on a different domain.
Configuring TLS from a Secret
As an alternative to specifying individual certificate, key, and CA certificate values, you can set tls.credentialName
in the gateway configuration. This field specifies the name of a Kubernetes secret containing the TLS certificate, key, and optional CA certificate for the gateway. When tls.credentialName
is set, it will override tls.cert
, tls.key
, and tls.cacert
values, simplifying the configuration by allowing a direct reference to a Kubernetes TLS secret. This secret should be placed in the same namespace as the gateway resource. See Gateway ServerTLSSettings for all required and available secret keys.
This approach is useful if you already have a Kubernetes secret that holds the necessary TLS data and want to use it directly.