Gateway API is an official Kubernetes project focused on L4 and L7 routing in Kubernetes. This project represents the next generation of Kubernetes Ingress, Load Balancing, and Service Mesh APIs. From the outset, it has been designed to be generic, expressive, and role-oriented. (Official documentation)
On this runbook we’ll show you how to configure the basics to start using Gateway API with StackGres.
Important: In case your Kubernetes cluster, does not have a LoadBalancer implementation, we recommend installing one so the Gateway resource has an Address associated with it. We recommend using MetalLB.
There are four main components to configure the Gateway API:
There are various controller you can use for your infrastructure, check the list here.
For the demo purpose we will use the Envoy Gateway.
GatewayClass: Is a cluster-scoped resource. There must be at least one GatewayClass defined in order to be able to have functional Gateways.
Gateways: A Gateway describes how traffic can be translated to Services within the cluster. That is, it defines a request for a way to translate traffic from somewhere that does not know about Kubernetes to somewhere that does.
It defines a request for a specific load balancer config that implements the GatewayClass’ configuration and behaviour contract. The resource may be created by an operator directly, or may be created by a controller handling a GatewayClass.
We will show you how to create a TCPRoute to handle Postgres traffic. You can check the different types of Routes here
In order to focus on the Gateway API configuration we will assume that you already have your SGCluster up and running. Check the StackGres Demo Quickstart to create your cluster. The demo cluster used here was created on GKE.
Demo SGCluster:
❯ kubectl get sgclusters.stackgres.io -n my-db NAME VERSION INSTANCES PROFILE DISK my-db 16.2 1 size-s 10Gi SGCluster service:
kubectl get services -n my-db -l stackgres.io/cluster=true NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE my-db ClusterIP 10.63.219.145 <none> 5432/TCP,5433/TCP 61m my-db-config ClusterIP None <none> <none> 61m Even though GKE already provides a Gateway API controller, we’ll use the Envoy controller.
Install it executing the next command:
helm install eg oci://docker.io/envoyproxy/gateway-helm --version v0.0.0-latest -n envoy-gateway-system --create-namespace Note: For custom requirements check the official documentation
cat <<EOF | kubectl apply -f - apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass metadata: name: eg spec: controllerName: gateway.envoyproxy.io/gatewayclass-controller EOF Check the object created:
❯ kubectl get gatewayclasses.gateway.networking.k8s.io NAME CONTROLLER ACCEPTED AGE eg gateway.envoyproxy.io/gatewayclass-controller True 86m cat <<EOF | kubectl apply -f - apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: tcp-gateway namespace: my-db spec: gatewayClassName: eg listeners: - name: pg-gateway protocol: TCP port: 5432 allowedRoutes: kinds: - kind: TCPRoute EOF Check the object created:
❯ kubectl get gateways.gateway.networking.k8s.io -n my-db NAME CLASS ADDRESS PROGRAMMED AGE tcp-gateway eg 34.89.14.197 True 72m Note that we are using the namespace
my-dbbecause only theGatewayClassis cluster-scoped.
The IP address might take a few minutes to be assigned. This is the public IP that you need to use as the service endpoint.
cat <<EOF | kubectl apply -f - apiVersion: gateway.networking.k8s.io/v1alpha2 kind: TCPRoute metadata: name: my-db-route namespace: my-db spec: parentRefs: - name: tcp-gateway sectionName: pg-gateway rules: - backendRefs: - name: my-db port: 5432 EOF sectionName field in the parentRefs. This correspond directly with the name in the listeners in the GatewaybackendRefs correspond to the database service.Once you configured the Gateway API, the last thing is to check if you have connection to your database cluster:
We got the superuser passsword with the next command:
PASSWORD=$(kubectl get secret -n my-db my-db --template '{{ printf "%s" (index .data "superuser-password" | base64decode) }}') echo "user: postgres" echo "password: $PASSWORD" output:
user: postgres password: 7a83-4f62-4c71-815 Now we can test the connection to the cluster:
❯ psql -h 34.89.14.197 -p 5432 -U postgres -d postgres Password for user postgres: psql (16.3 (Ubuntu 16.3-1.pgdg22.04+1), server 16.2 (OnGres 16.2-build-6.31)) Type "help" for help. postgres=# The above example was intended to show you the basic configuration of the Gateway API. If you want to expose your database, make sure to configure a secure connection to it.
Check the security documentation for the Envoy Gateway here