This repository provides a lightweight, SA‑friendly demo showcasing how Calico Cloud implements the Ingress Gateway (IGW) using the Kubernetes Gateway API. The demo highlights:
- Path‑based routing (
/→ home) - Canary routing (
/payments→ 80/20 stable/canary) - TLS termination via Envoy through Calico IGW
Unlike other repos (e.g., Egress Gateway demo), this one intentionally uses manual kubectl commands so Solutions Architects can present the concepts naturally during customer meetings.
No automation scripts. No shortcuts. 1–2 commands at a time, exactly as you would demonstrate in a live technical session.
| Directory / File | Purpose |
|---|---|
docs/ |
Step-by-step setup, demo runbook, and troubleshooting |
├─ 00.cluster-create.md |
Create the EKS cluster |
├─ 01.calico-cloud-connect.md |
Connect the cluster to Calico Cloud |
├─ 02.ingress-gateway-setup.md |
Full Ingress Gateway setup (Gateway API + Envoy) |
├─ 03.delete-setup.md |
Teardown & cleanup steps |
└─ 04.troubleshooting.md |
Common issues and debugging steps |
manifests/ |
All YAML manifests used for the demo |
├─ base/ |
Namespaces, backends, and Gateway API enablement |
│ ├─ backends.yaml |
Backend demo deployments |
│ ├─ gatewayapi-enable.yaml |
Enables Gateway API for Calico IGW |
│ └─ namespaces.yaml |
Demo namespaces |
├─ scenario-1-path-routing/ |
Path routing & canary HTTPRoute examples |
│ ├─ gateway.yaml |
IGW Gateway resource |
│ ├─ httproute-home.yaml |
Route for / |
│ └─ httproute-payments.yaml |
Canary route for /payments |
└─ scenario-2-tls-offload/ |
TLS termination scenario |
├─ gateway-tls.yaml |
TLS-enabled Gateway |
└─ httproute-tls-home.yaml |
TLS route for / |
scripts/ |
Helper scripts for demo automation |
├─ canary-test.sh |
Traffic generator for verifying 80/20 canary split |
└─ cleanup.sh |
Full teardown (force-delete + TLS cleanup) |
igw-demo.crt |
Self-signed TLS certificate (demo only) |
igw-demo.key |
Private key for the TLS cert |
README.md |
You're here — high-level overview |
This demo is intentionally simple and follows three phases, each executed with a few clear kubectl commands.
Prepare cluster and connect it to Calico Cloud.
- Create the demo namespace
- Deploy backend services
Enable Calico’s GatewayAPI operator and apply the IGW Gateway.
- Install Gateway API CRDs
- Enable Calico IGW
- Deploy the
igw-demo-gateway
Show real traffic flowing through Envoy via Calico.
- Route
/to home service - Route
/paymentswith canary weights - Verify 80/20 split with a curl loop
- Add TLS termination
- Validate HTTPS with automatic IP resolution
Reset everything safely.
- Delete all HTTPRoutes and Gateways
- Disable Gateway API
- Remove CRDs
- Delete namespace
- Delete TLS artifacts
Cleanup is fully handled by:
bash scripts/cleanup.sh| Concept | Description |
|---|---|
| Ingress Gateway (IGW) | Envoy‑powered north‑south entrypoint deployed by Calico Cloud |
| Gateway API | Next‑gen Kubernetes API for traffic management (replacing Ingress) |
| Path Routing | Routing rules such as / or /payments → backend services |
| Canary Routing | Weighted routing (e.g., 80/20) using Gateway API backendRefs |
| TLS Termination | IGW terminates TLS and forwards HTTP to workload services |
| Calico Cloud Visibility | Observe flows and visualize routing decisions within Service Graph |
This demo is built for Solutions Architects:
-
Everything is done with 1–2 kubectl commands per step
-
No Helm charts, no Ingress, no AWS LB Controller
-
Pure Gateway API → Envoy → Calico Ingress Gateway
-
Perfect for:
- Customer technical sessions
- Conference demos
- Workshops
- Internal SE enablement
Key moments:
- Create the IGW Gateway and watch
PROGRAMMED=True - Curl
/paymentsand show live 80/20 split between stable/canary pods - Generate a TLS cert and demonstrate full HTTPS termination
Reset everything with:
bash scripts/cleanup.shThis cleans up:
- IGW Gateways
- HTTPRoutes
- Backend apps
- Gateway API CRDs
- Namespace (forced if stuck)
- TLS certificate + key
Cluster is restored to a clean, pre‑demo state.
Author: Abhishek Rao
Role: Solutions Architect, Tigera
Purpose: Internal enablement + customer demo pack
Contact: Tigera Slack (SE / Pre‑Sales Channel)