Ambassador is a Kubernetes-native API Gateway for microservices. Ambassador is deployed at the edge of your network, and routes incoming traffic to your internal services (aka "north-south" traffic). Istio is a service mesh for microservices, and designed to add L7 observability, routing, and resilience to service-to-service traffic (aka "east-west" traffic). Both Istio and Ambassador are built using Envoy.
Ambassador and Istio can be deployed together on Kubernetes. In this configuration, incoming traffic from outside the cluster is first routed through Ambassador, which then routes the traffic to Istio. Ambassador handles authentication, edge routing, TLS termination, and other traditional edge functions.
This allows the operator to have the best of both worlds: a high performance, modern edge service (Ambassador) combined with a state-of-the-art service mesh (Istio). Istio's basic ingress controller, the ingress controller is very limited, and has no support for authentication or many of the other features of Ambassador.
Getting Ambassador working with Istio is straightforward. In this example, we'll use the
bookinfo sample application from Istio.
- Install Istio on Kubernetes, following the default instructions.
- Next, install the Bookinfo sample application, following the instructions.
- Verify that the sample application is working as expected.
By default, the Bookinfo application uses the Istio ingress. To use Ambassador, we need to:
- Install Ambassador. See the quickstart guide.
- Update the
bookinfo.yamlmanifest to include the necessary Ambassador annotations. See below.
Optionally, delete the Ingress controller from the
bookinfo.yamlmanifest by typing
kubectl delete ingress gateway.
Test Ambassador by going to
$AMBASSADOR_IP/productpage/. You can get the actual IP address for Ambassador by typing
kubectl get services ambassador.
Newer versions of Istio support Kubernetes initializers to automatically inject the Istio sidecar. With Ambassador, you don't need to inject the Istio sidecar -- Ambassador's Envoy instance will automatically route to the appropriate service(s). If you're using automatic sidecar injection, you'll need to configure Istio to not inject the sidecar automatically for Ambassador pods. There are several approaches to doing this that are explained in the documentation.