Created
April 2, 2020 22:10
-
-
Save aattuluri/baf6b8aac10471acc73aa1d6262a65bb to your computer and use it in GitHub Desktop.
Enable multi-cluster communication for custom domain suffix
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
apiVersion: networking.istio.io/v1alpha3 | |
kind: EnvoyFilter | |
metadata: | |
name: istio-multicluster-customsuffix | |
namespace: istio-system | |
labels: | |
release: istio | |
spec: | |
workloadLabels: | |
istio: ingressgateway | |
filters: | |
- listenerMatch: | |
portNumber: 15443 | |
listenerType: GATEWAY | |
insertPosition: | |
index: AFTER | |
relativeTo: envoy.filters.network.sni_cluster | |
filterName: envoy.filters.network.tcp_cluster_rewrite | |
filterType: NETWORK | |
filterConfig: | |
cluster_pattern: "\\.customsuffix$" | |
cluster_replacement: ".svc.cluster.local" | |
--- | |
--- | |
apiVersion: networking.istio.io/v1alpha3 | |
kind: Gateway | |
metadata: | |
name: istio-multicluster-customsuffix | |
namespace: istio-system | |
labels: | |
release: istio | |
spec: | |
selector: | |
istio: ingressgateway | |
servers: | |
- hosts: | |
- "*.customsuffix" | |
port: | |
name: tls | |
number: 15443 | |
protocol: TLS | |
tls: | |
mode: AUTO_PASSTHROUGH | |
--- | |
--- | |
apiVersion: networking.istio.io/v1alpha3 | |
kind: DestinationRule | |
metadata: | |
name: istio-multicluster-customsuffix | |
namespace: istio-system | |
labels: | |
release: istio | |
spec: | |
host: "*.customsuffix" | |
trafficPolicy: | |
tls: | |
mode: ISTIO_MUTUAL | |
--- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Make sure to replace `customsuffix` with `yoursuffix` in each of these steps. | |
1. Point k8s cluster DNS (kube-dns or coredns) to resolve `customsuffix` using istiocoredns | |
a. Get the cluster ip for istiocoredns | |
kubectl get svc istiocoredns -n istio-system -o jsonpath='{.spec.clusterIP}' | |
b. Edit the kube-dns or coredns cm for the k8s cluster to point to cluster ip obtained in a). | |
You can use this [script](https://github.intuit.com/services-mesh/admiral/blob/master/install/scripts/redirect-dns.sh) as reference: | |
2. Configure istiocoredns to resolve entries ending in `customsuffix` (any serviceentry created with host=someservice.somenamespace.customsuffix are resolvable using istiocoredns) | |
Run the following command and copy the block below into the config map. | |
`kubectl edit cm coredns -n istio-system` | |
``` | |
proxy customsuffix 127.0.0.1:8053 { | |
protocol grpc insecure | |
} | |
``` | |
3. Add envoy filter to translate `customsuffix` to `svc.cluster.local` on the ingressgateway | |
4. Create istio Gateway in order for ingressgateway to accept traffic for hosts ending in `customsuffix` | |
5. Add a destination rule to use mTLS for hosts ending in `customsuffix` | |
For steps 3, 4 & 5, download and apply the yaml below after replacing `customsuffix` with `yoursuffix` | |
kubectl apply -f istio-multicluster-config.yaml |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment