Expose workloads in multiple Namespaces with a single APIRule definition

This tutorial shows how to expose service endpoints in multiple Namespaces using API Gateway Controller.

CAUTION: Exposing a workload to the outside world causes a potential security vulnerability, so tread carefully. In a production environment, secure the workload you expose with OAuth2 or JWT.

Prerequisites

  1. Create three Namespaces: one for an instance of the HttpBin service, one for a sample Function, and one for an APIRule custom resource (CR). Deploy an instance of the HttpBin service and a sample Function in their respective Namespaces. To learn how to do it, follow the Create a workload tutorial.

    NOTE: Remember to enable the Istio sidecar proxy injection in each Namespace.

  2. Export the Namespaces' names as environment variables:

    Click to copy
    export NAMESPACE_HTTPBIN={NAMESPACE_NAME}
    export NAMESPACE_FUNCTION={NAMESPACE_NAME}
    export NAMESPACE_APIRULE={NAMESPACE_NAME}

  3. Depending on whether you use your custom domain or a Kyma domain, export the necessary values as environment variables:

  • Custom domain
  • Kyma domain

Expose and access your workloads in multiple Namespaces

  1. Expose the HttpBin and Function services in their respective Namespaces by creating an APIRule CR in its own Namespace. Run:

    Click to copy
    cat <<EOF | kubectl apply -f -
    apiVersion: gateway.kyma-project.io/v1beta1
    kind: APIRule
    metadata:
      name: httpbin-and-function
      namespace: $NAMESPACE_APIRULE
    spec:
      host: httpbin-and-function.$DOMAIN_TO_EXPOSE_WORKLOADS
      gateway: $GATEWAY
      rules:
        - path: /headers
          methods: ["GET"]
          service:
            name: httpbin
            namespace: $NAMESPACE_HTTPBIN
            port: 8000
          accessStrategies:
            - handler: noop
          mutators:
            - handler: noop
        - path: /function
          methods: ["GET"]
          service:
            name: function
            namespace: $NAMESPACE_FUNCTION
            port: 80
          accessStrategies:
            - handler: noop
          mutators:
            - handler: noop
    EOF

    NOTE: If you are running Kyma on k3d, add httpbin.kyma.local to the entry with k3d IP in your system's /etc/hosts file.

  2. Call the HttpBin endpoint by sending a GET request to the HttpBin service:

    Click to copy
    curl -ik -X GET https://httpbin-and-function.$DOMAIN_TO_EXPOSE_WORKLOADS/headers

    If successful, the call returns the code 200 OK response.

  3. Call the Function endpoint by sending a GET request to the Function service:

    Click to copy
    curl -ik -X GET https://httpbin-and-function.$DOMAIN_TO_EXPOSE_WORKLOADS/function

    If successful, the call returns the code 200 OK response.