LB configuraion is not working Using Gateway API

[anannaya]

Migrating the k8s Ingress to Gateway API with a the istio ingress pods . Here is my config .

apiVersion: gateway.k8s.aws/v1beta1
kind: LoadBalancerConfiguration
metadata:
  name: internet-facing-config
  namespace: istio-system
spec:
  scheme: internet-facing
  tags:
    Owner: anand
    SpendType: COGS
  loadBalancerName: anand-ingress-k8sgatewayapi-alb
  loadBalancerAttributes:
    - key: idle_timeout.timeout_seconds
      value: "120"
  listenerConfigurations:
    - protocolPort: HTTP:80
    - protocolPort: HTTPS:443
      defaultCertificate: arn:aws:acm:us-east-1:xxxxxxxxxxxxxxxx:certificate/329884a5-f66e-48f5-a30e-677058afe898
---
apiVersion: gateway.k8s.aws/v1beta1
kind: TargetGroupConfiguration
metadata:
  name: istio-targetgroup-config
  namespace: istio-system
spec:
  targetReference:
    group: ""
    kind: Service
    name: default-k8s-gateway-alb-istio
  defaultConfiguration:
    protocol: HTTPS
    protocolVersion: http1
    healthCheckConfig:
      healthCheckPort: "15021"
      healthCheckPath: "/healthz/ready"
      healthCheckProtocol: http
    targetGroupAttributes:
      - key: deregistration_delay.timeout_seconds
        value: "50"
---
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
  name: aws-loadbalancer-controller
spec:
  controllerName: gateway.k8s.aws/alb
  parametersRef:
    group: gateway.k8s.aws
    kind: LoadBalancerConfiguration
    name: internet-facing-config
    namespace: istio-system
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name:  aws-loadbalancer-controller-gateway
  namespace: istio-system
spec:
  gatewayClassName:  aws-loadbalancer-controller
  listeners:
  - name: https
    port: 443
    protocol: HTTPS
    tls:
      mode: Terminate
      certificateRefs:
      - name: star-xxxx-com-certs
    allowedRoutes:
      namespaces:
        from: All
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: default-k8s-gateway-alb
  namespace: istio-system
  annotations:
    external-dns.alpha.kubernetes.io/hostname: istiok8salb.anand.xxxx.thunderhead.io
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'
    networking.istio.io/service-type: NodePort
spec:
  gatewayClassName: istio
  listeners:
  - name: https
    port: 443
    protocol: HTTPS
    tls:
      mode: Terminate
      certificateRefs:
      - name: star-xxxxxxx-com-certs
    allowedRoutes:
      namespaces:
        from: All

I see ALB got created but No target groups or listeners.

aws-loadbalancer-controller-gateway aws-loadbalancer-controller k8s-istiosys-awsloadb-dfdfdfdfd-1125923642.us-east-1.elb.amazonaws.com Unknown 4h19m

[zac-nixon]

Hi. Very exciting that you're trying out the Gateway implementation already!

The current implementation is very basic, and doesn't support encrypted traffic (HTTPS) yet. Further, the TargetGroupConfiguration object is not yet supported. We wanted to get something out to give people a chance to feel out the implementation. I can see two issues:

• You have defined the Gateway twice, I would recommend using one Gateway and having two listeners.
• There is no route objects attached to the Gateway. The route objects direct the gateway what TargetGroups to create.

[shraddhabang]

@anannaya So excited that you are trying out Gateway API.

to add to Zac's points, We only materialize the listeners for gateway if we find the associated routes for it and create tgs for the backends in those route to avoid creating leaking Target groups for the services which are not yet referred by any gateways.

[anannaya]

@shraddhabang @zac-nixon Thanks a lot for responding . I would like replicate the same ingress resources using the Gateway-api
ALB(ingress)-->istio-ingress-gateway-pods(targets)

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig":
      { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:xxxxxxxxx:certificate/329884a5-f66e-48f5-a30e-677058afe898
    alb.ingress.kubernetes.io/healthcheck-path: /healthz/ready
    alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/load-balancer-attributes: idle_timeout.timeout_seconds=120
    alb.ingress.kubernetes.io/load-balancer-name: anand-ingress-alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/tags: Owner=anand,SpendType=COGS
    alb.ingress.kubernetes.io/target-group-attributes: deregistration_delay.timeout_seconds=50
    external-dns.alpha.kubernetes.io/hostname: istioalb.anand.xxxxxx.thunderhead.io
    gateway.networking.k8s.io/gateway-name: default-gateway-alb
  name: default-gateway-alb
  namespace: istio-system
spec:
  ingressClassName: alb
  rules:
  - http:
      paths:
      - backend:
          service:
            name: ssl-redirect
            port:
              name: use-annotation
        path: /
        pathType: Prefix
      - backend:
          service:
            name: istio-ingressgateway-alb
            port:
              number: 443
        path: /
        pathType: Prefix