NavigationContentFooter
Jump toSuggest an edit
Was this page helpful?

Deploying Istio on a Kubernetes Kapsule with ProxyProtocol v2 support

Reviewed on 18 February 2025Published on 18 February 2025
  • kubernetes
  • load-balancer
  • proxy-protocol
  • istio

Istio is an open source service mesh that lets you run distributed, microservices-based apps anywhere. It helps you manage and connect the different microservices in your Scaleway Kubernetes cluster, making it easier to build and maintain complex applications.

This tutorial describes the steps required to deploy Istio on a Scaleway Kubernetes Kapsule cluster, and configure it to support Proxy Protocol v2. This enables connection information from a client (e.g. their IP address) to be passed through the cluster’s Load Balancer onto the target pod or service, via the Istio service mesh.

Before you startLink to this anchor

To complete the actions presented below, you must have:

  • A Scaleway account logged into the console
  • Owner status or IAM permissions allowing you to perform actions in the intended Organization
  • A Kubernetes Kapsule cluster with a Scaleway Load Balancer service
  • Set up kubetcl and Helm

Install Istio with HelmLink to this anchor

  1. Add the Istio Helm repository:

    helm repo add istio https://istio-release.storage.googleapis.com/charts
    helm repo update

  2. Install the Istio control plane:

    helm install istiod istio/istiod -n istio-system --create-namespace

  3. Install the Istio ingress Gateway:

    helm install istio-ingressgateway istio/gateway -n istio-system

Verify the ingress Gateway ServiceLink to this anchor

An ingress gateway service acts as an entry point for external traffic into the cluster. It is exposed via a Kubernetes LoadBalancer Service, which, in our case, uses a Scaleway Load Balancer. The Load Balancer forwards external traffic to the ingress Gateway Pod.

  1. Run the following command to retrieve the service configuration

    kubectl get svc istio-ingressgateway -n istio-system -o yaml

  2. Verify that the service is of type LoadBalancer, and that a Scaleway Load Balancer is associated with it.

Add annotations for Proxy ProtocolLink to this anchor

Add the necessary annotations for Proxy Protocol:

kubectl annotate -n istio-system svc istio-ingressgateway "service.beta.kubernetes.io/scw-load-balancer-proxy-protocol-v2=false" --overwrite      
kubectl patch svc istio-ingressgateway -n istio-system -p '{"spec": {"externalTrafficPolicy": "Local"}}'

Configure Envoy to support Proxy ProtocolLink to this anchor

Envoy is a proxy server used by Istio to manage and control the flow of traffic between services in the Kubernetes cluster. It is responsible for routing the traffic between services.

  1. Create an EnvoyFilter to enable Proxy Protocol support:

    apiVersion: networking.istio.io/v1alpha3
    kind: EnvoyFilter
    metadata:
    name: proxy-protocol
    namespace: istio-system
    spec:
    workloadSelector:
        labels:
        istio: ingressgateway
    configPatches:
    - applyTo: LISTENER
        patch:
        operation: MERGE
        value:
            listener_filters:
            - name: envoy.filters.listener.proxy_protocol
            - name: envoy.filters.listener.tls_inspector

  2. Apply the configuration:

    kubectl apply -f proxy-protocol.yaml

Enable X-Forwarded-ForLink to this anchor

  1. Create a file named ingressgateway-settings.yaml with the following content:

    apiVersion: networking.istio.io/v1alpha3
    kind: EnvoyFilter
    metadata:
      name: ingressgateway-settings
      namespace: istio-system
    spec:
      configPatches:
      - applyTo: NETWORK_FILTER
        match:
          listener:
            filterChain:
              filter:
                name: envoy.http_connection_manager
        patch:
          operation: MERGE
          value:
            name: envoy.http_connection_manager
            typed_config: 
              "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager"
              skip_xff_append: false
              use_remote_address: true
              xff_num_trusted_hops: 1

  2. Apply the configuration:

    kubectl apply -f ingressgateway-settings.yaml

  3. Update the ingress Gateway service to use the new configuration:

    kubectl annotate -n istio-system svc istio-ingressgateway "service.beta.kubernetes.io/scw-load-balancer-proxy-protocol-v2=false" --overwrite
    kubectl patch svc istio-ingressgateway -n istio-system -p '{"spec": {"externalTrafficPolicy": "Local"}}'

Restart the Istio ingress gateway podLink to this anchor

Restart the pod to apply the changes:

kubectl delete pod -l istio=ingressgateway -n istio-system

Verify the configurationLink to this anchor

  1. Retrieve the public IP address of the Load Balancer:

    kubectl get svc istio-ingressgateway -n istio-system

  2. Test access using curl:

    curl -v http://<LOAD_BALANCER_IP>/get

    If the configuration is correct, the response should include the X-Forwarded-For and X-Envoy-External-Address headers.

For further support with Istio, read their dedicated documentation.

Was this page helpful?
API DocsScaleway consoleDedibox consoleScaleway LearningScaleway.comPricingBlogCareers
© 2023-2025 – Scaleway