Expose workloads in multiple Namespaces with a single APIRule definition

This tutorial shows how to expose service endpoints in multiple Namespaces using API Gateway Controller.

CAUTION: Exposing a workload to the outside world causes a potential security vulnerability, so tread carefully. In a production environment, secure the workload you expose with OAuth2 or JWT.

Prerequisites

  1. Create a sample HttpBin service deployment and a sample Function in the separate Namespaces:

    • Create a Namespace for the HttpBin service and export its value as an environment variable. Run:

      Click to copy
      export NAMESPACE_HTTPBIN={NAMESPACE_HTTPBIN}
      kubectl create ns $NAMESPACE_HTTPBIN
      kubectl label namespace $NAMESPACE_HTTPBIN istio-injection=enabled --overwrite

    • Create a different Namespace for the Function service and export its value as an environment variable. Run:

      Click to copy
      export NAMESPACE_FUNCTION={NAMESPACE_FUNCTION}
      kubectl create ns $NAMESPACE_FUNCTION
      kubectl label namespace $NAMESPACE_FUNCTION istio-injection=enabled --overwrite

    • Deploy an instance of the HttpBin service in its Namespace using the sample code:

      Click to copy
      kubectl -n $NAMESPACE_HTTPBIN create -f https://raw.githubusercontent.com/istio/istio/master/samples/httpbin/httpbin.yaml

    • Create a Function in its Namespace using the sample code:

      Click to copy
      kubectl -n $NAMESPACE_FUNCTION apply -f https://raw.githubusercontent.com/kyma-project/kyma/main/docs/03-tutorials/assets/function.yaml

  2. Create a Namespace for the Gateway and APIRule CRs and export its value as the environment variable. Run:

    Click to copy
    export NAMESPACE={NAMESPACE}
    kubectl create ns $NAMESPACE
    kubectl label namespace $NAMESPACE istio-injection=enabled --overwrite

  3. Depending on whether you use your custom domain or a Kyma domain, export the necessary values as environment variables:

  • Custom domain
  • Kyma domain

Expose and access your workloads in multiple Namespaces

  1. Expose the HttpBin and Function services in their respective Namespaces by creating an APIRule CR in its own Namespace. Run:

    Click to copy
    cat <<EOF | kubectl apply -f -
    apiVersion: gateway.kyma-project.io/v1beta1
    kind: APIRule
    metadata:
      name: httpbin-and-function
      namespace: $NAMESPACE
    spec:
      host: httpbin-and-function.$DOMAIN_TO_EXPOSE_WORKLOADS
      gateway: $GATEWAY
      rules:
        - path: /headers
          methods: ["GET"]
          service:
            name: httpbin
            namespace: $NAMESPACE_HTTPBIN
            port: 8000
          accessStrategies:
            - handler: noop
          mutators:
            - handler: noop
        - path: /function
          methods: ["GET"]
          service:
            name: function
            namespace: $NAMESPACE_FUNCTION
            port: 80
          accessStrategies:
            - handler: noop
          mutators:
            - handler: noop
    EOF

    NOTE: If you are running Kyma on k3d, add httpbin.kyma.local to the entry with k3d IP in your system's /etc/hosts file.

  2. Call the HttpBin endpoint by sending a GET request to the HttpBin service:

    Click to copy
    curl -ik -X GET https://httpbin-and-function.$DOMAIN_TO_EXPOSE_WORKLOADS/headers

    If successful, the call returns the code 200 OK response.

  3. Call the Function endpoint by sending a GET request to the Function service:

    Click to copy
    curl -ik -X GET https://httpbin-and-function.$DOMAIN_TO_EXPOSE_WORKLOADS/function

    If successful, the call returns the code 200 OK response.