What is spec/selector label in an Istio Gateway configuration?

Question

I am new to Istio Gateway and my goal is to create a Ingress Gateway for a service deployed on K8s.

I am a bit confused with the Gateway example in the official document: https://istio.io/latest/docs/concepts/traffic-management/#gateway-example .

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: ext-host-gwy
spec:
  selector:
    app: my-gateway-controller
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    hosts:
    - ext-host.example.com
    tls:
      mode: SIMPLE
      credentialName: ext-host-cert

In this example, what is app: my-gateway-controller under spec/selector? Is there additional configuration/deployment needed for this my-gateway-controller?

I tried searching "my-gateway-controller" in the rest of the document, but didn't find further explanation.

Answer 1

Its usually istio ingress gateway pod label name which needs to be given in selector, as the external traffic will enter through ingress gateway pod. unless the name of ingress gateway is changed during istio installation.

Please mention as below in the gateway definition which will route the traffic to application.

spec:
  selector:
    istio: ingressgateway

Answer 2

Istio can be installed with different options. They have different profiles that can be used for testing, for default scenarios and custom setup. One option is to configure an ingress-controller (but you could also have non and use a different non-istio ingress-controller).

Depending on your setup you can either have no ingress-gateway, the default ingress-gateway or a custom gateway.

The default gateway has a label that's called istio: ingressgateway . You can find that in most of the example/getting started docs, eg in how to setup a secure ingress

Here the Gateway looks like that:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: mygateway
spec:
  selector:
    istio: ingressgateway # use istio default ingress gateway
[...]

The other option would be to setup a second ingress-gateway that might have a different name. You can for example use the IstioOperator manifest to configure this.

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  components:
    ingressGateways:
    - enabled: true
      name: my-gateway-controller

That ingress-gateway pod will get a label of app: my-gateway-controller . This label can than be used as it has been in the example you posted. So you can check all ingress-gateway pods you have and choose the label you need.

If you went with the default setup, you probably have the default ingress-gateway and can simple change the selector to istio: ingressgateway .

For the beginning I would recommend to stick with the tasks section for configuring your setup, because it's uses the default istio setup most people have. If you need more details or something special you can always check the docs pages.