🤯 Support for Kubernetes Gateway API is now available in developer preview. Learn more ->
March 18, 2024
|
7
min read

Introducing support for the Kubernetes Gateway API in the ngrok Kubernetes Operator

Kubernetes
Kubernetes
Product updates
by
Abdirahman Osman
Abdirahman Osman

We are excited to announce support for the Kubernetes Gateway API, now available in developer preview.

To use the Gateway API, cluster operators will set up a Gateway on their cluster with one or more listeners. These listeners will be linked to endpoints and edges at ngrok. Application developers will then be able to create routes that modify traffic and direct it to backends like Kubernetes Services. 

Regardless of whether you use the existing Kubernetes ingress controller or this new Gateway API implementation, you’ll still get all the benefits of ngrok:

  • Effortless configuration: Set the authentication keys to your ngrok account and you're done. Operators do not need to configure networking details like ELBs, IPs, network interfaces or VPC routing.
  • Environment independence: Runs identically in EKS, GKE, k3s on your laptop, OpenShift in your own datacenter or Minikube on your Raspberry Pi.
  • Security and resiliency: Because the Operator pushes authentication and policy to ngrok's global network, attacks and other unwanted traffic never reach your origin network.
  • Acceleration: ngrok’s GSLB boosts application performance by routing end-user traffic to the closest point of presence, minimizing latency. 
Routing traffic with Kubernetes Gateway API

Let's get started!

Want to jump into the references? Find them here:

Otherwise, let’s take a test ride on the ngrok Gateway API, we’ll create a gateway for the echo service container mendhak/http-https-echo which echos back http requests. In the examples below, we use <HOSTNAME> placeholder to represent an ngrok hostname like yourName.ngrok.app Go to the dashboard to reserve a domain. First let’s create our Gateway and GatewayClass objects

apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
  name: simple-gatewayclass
  namespace: ngrok-ingress-controller
spec:
  controllerName: ngrok.com/gateway-controller
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: simple-gateway
  namespace: ngrok-ingress-controller
spec:
  gatewayClassName: simple-gatewayclass
  listeners:
    - protocol: HTTPS
      hostname: 
      port: 443
      tls: 
        mode: Terminate
        certificateRefs:
        - name: ngrokcert # ngrok generats a cert for you, so this field is just a placeholder to satisfy the gateway crd
      name: simple-listener

The above code tells the operator that the Gateway uses ngrok’s infrastructure, and then provisions a domain. Next let’s deploy that echo service, so the HTTPRoute can direct traffic to this service.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-echo-deploy
  namespace: ngrok-ingress-controller
spec:
  selector:
    matchLabels:
      app: http-echo-app
  replicas: 2
  template:
    metadata:
      labels:
        app: http-echo-app
    spec:
      containers:
      - name: http-echo-path2
        image: mendhak/http-https-echo:31
        ports:
        - containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
  name: http-echo-svc
  namespace: ngrok-ingress-controller
  labels:
    app: http-echo-app
spec:
  ports:
  - name: http-echo-app
    port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    app: http-echo-app

Now, let's make our HTTPRoute.

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: simple-route
spec:
  parentRefs:
  - name: simple-gateway
  hostnames: [<HOSTNAME>]
  rules:
  - backendRefs:
    - name: http-echo-svc
      port: 80
      kind: Service

And just like that, your service is now available to the entire world. Let’s add some gas to it by using Filters, and adding more hosts. Add the following listeners to your Gateway:

   - protocol: HTTPS
      hostname: <HOSTNAME_2>
      port: 443
      tls: 
        mode: Terminate
        certificateRefs:
        - name: ngrokcert
      name: domain-two
    - protocol: HTTPS
      hostname: <HOSTNAME_3>
      port: 443
      tls: 
        mode: Terminate
        certificateRefs:
        - name: ngrokcert
      name: domain-three

Let’s replace the Route’s Hostnames with the following:

hostnames:
  - <HOSTNAME_1>
  - <HOSTNAME_2>
  - <HOSTNAME_3>

Next, let’s add some functionality to the HTTPRoute. We can do this by adding Rules with new Filters and Matches. For instance, if we want to add a certain request header whenever someone hits our service from a certain path we can do that with a simple rule containing a path match to select the rule, and a request header filter to add our desired header.

  - backendRefs:
    - name: http-echo-svc
      port: 80
    matches:
    - path:
        type: PathPrefix
        value: /paprika
    filters:
    - type: RequestHeaderModifier
      requestHeaderModifier:
        add:
          - name: paprika-header
            value: spicy-value

Additionally, we can instead also create a response header whenever that path is reached.

    filters:
    - type: ResponseHeaderModifier
      responseHeaderModifier:
        add:
          - name: my-response-header-name
            value: my-header-value

Now, if you want to redirect from one path to another there’s a rule for that! Firstly, set up a match on that route.

  - matches:
    - path:
        type: PathPrefix
        value: /pumpkin

Then add a RequestRedirect filter to redirect to the destination path.

    filters:
    - type: RequestRedirect
      requestRedirect:
        scheme: https
        hostname: <HOSTNAME_1>
        statusCode: 301
        path:
          type: ReplacePrefixMatch
          replacePrefixMatch: /paprika

The Kubernetes Gateway API

Kubernetes Gateway API caters to the needs of modern organization roles that use and configure networking into Kubernetes. Built with a role-oriented architecture, it balances distributed flexibility with centralized governance and control by. It allows shared network infrastructure (hardware load balancers, cloud networking, cluster-hosted proxies etc) to be used by many different and non-coordinating teams, all bound by the policies and constraints set by cluster operators, responsible for managing Kubernetes clusters. This eliminates friction in application and API delivery by providing the flexibility needed by the users of the infrastructure (application developer) while also maintaining control by the owners of the infrastructure (Infrastructure provider and cluster operator). It also enhances security by ensuring granular control over who can manage networking resources.

Gateway API is also expressive - it natively supports enhanced routing for multiple types of routes (L4 and L7), header-based matching, traffic weighting, and other capabilities that equip developers to direct and shape traffic easily. This enhanced support for routing gives developers the flexibility to configure path routing that maps requests to Kubernetes services. 

Motivation: Addressing ingress limitations

The Kubernetes Gateway API is being developed to address the limitations of the existing Ingress API. Ingress API doesn’t offer enough features out of the box requiring infrastructure operations teams to fill the remaining 70-80% of the interface with annotations to cover what cluster operators and application developers require. This forces users to maintain bespoke configurations for each infrastructure provider they use. Moreover, it also lacks functionality for allocating portions of the cluster to different teams or applications, leading to either the cumbersome setup of multiple controller instances or forcing cluster providers to limit app developers' control over their deployment strategies. 

The Gateway API addresses these challenges, enabling a more flexible and secure environment for managing networking into Kubernetes. It overcomes the issue of limited functionality through routes, which establish a set of rules that contain Matches and Filters to support any desired matching logic or transformation needed by app developers. This means users don’t need to maintain bespoke configurations for each environment and eliminates friction when migrating from one platform to another as the Gateway API abstracts connectivity by providing a common interface into Kubernetes. Furthermore, the Gateway API’s role-based framework allows individual app developers to integrate with the same gateway independently, without impacting each other’s services. 

What’s next?

The ngrok Kubernetes Operator currently supports the creation of Gateways, HTTPRoutes, and the core filters on those routes. We already have plans to support additional filters, including both the extended filter and support for the ngrok Policy Engine. As additional parts of the Gateway API spec transition from experimental to stable, such as the TCPRoute and TLSRoute objects, we will implement these as well.

Get started with the ngrok Kubernetes Gateway API integration

If you don’t have an account, you can sign up today to get started with ngrok. Reach us on Twitter, the ngrok community on Slack, or contact us at support@ngrok.com and share your feedback on this developer preview of the Gateway API.

Share this post

← back to index

Kubernetes
Product updates
Kubernetes
Production