Skip to content

Instantly share code, notes, and snippets.

@nmnellis
Last active Dec 9, 2020
Embed
What would you like to do?
Trying out Istio's DNS Poxy
cat /etc/resolv.conf
nameserver 10.8.0.10
search default.svc.cluster.local svc.cluster.local cluster.local google.internal
options ndots:5
{
"name": "outbound|443||istio.io",
"type": "STRICT_DNS",
"connectTimeout": "10s",
"loadAssignment": {
"clusterName": "outbound|443||istio.io",
"endpoints": [
{
"locality": {},
"lbEndpoints": [
{
"endpoint": {
"address": {
"socketAddress": {
"address": "istio.io",
"portValue": 443
}
}
},
"loadBalancingWeight": 1
}
],
"loadBalancingWeight": 1
}
]
},
"circuitBreakers": {
"thresholds": [
{
"maxConnections": 4294967295,
"maxPendingRequests": 4294967295,
"maxRequests": 4294967295,
"maxRetries": 4294967295
}
]
},
"dnsRefreshRate": "5s",
"respectDnsTtl": true,
"dnsLookupFamily": "V4_ONLY",
"metadata": {
"filterMetadata": {
"istio": {
"default_original_port": 443,
"services": [
{
"host": "istio.io",
"name": "istio.io",
"namespace": "default"
}
]
}
}
},
"filters": [
{
"name": "istio.metadata_exchange",
"typedConfig": {
"@type": "type.googleapis.com/udpa.type.v1.TypedStruct",
"typeUrl": "type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange",
"value": {
"protocol": "istio-peer-exchange"
}
}
}
]
},
curl -v https://istio.io/
* Trying 240.240.0.1...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x555e7e38af50)
* Connected to istio.io (240.240.0.1) port 443 (#0)
istioctl pc clusters my-pod | grep database
database-1.cwbnoj5bvq8z.eu-central-1.rds.amazonaws.com 3306 - outbound STRICT_DNS
database-2.cwbnoj5bvq8z.eu-central-1.rds.amazonaws.com 3307 - outbound STRICT_DNS
istioctl pc listeners my-pod | grep database
0.0.0.0 3306 ALL Cluster: outbound|3306||database-2.cwbnoj5bvq8z.eu-central-1.rds.amazonaws.com
istioctl pc listeners my-pod | grep database
240.240.0.1 3306 ALL Cluster: outbound|3306||database-1.cwbnoj5bvq8z.eu-central-1.rds.amazonaws.com
240.240.0.2 3306 ALL Cluster: outbound|3306||database-2.cwbnoj5bvq8z.eu-central-1.rds.amazonaws.com
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: db-1
spec:
hosts:
- database-1.cwbnoj5bvq8z.eu-central-1.rds.amazonaws.com
ports:
- number: 3306
name: tcp
protocol: TCP
resolution: DNS
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: db-2
spec:
hosts:
- database-2.cwbnoj5bvq8z.eu-central-1.rds.amazonaws.com
ports:
- number: 3306
name: tcp
protocol: TCP
resolution: DNS
dig istio.io
; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> istio.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2732
;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;istio.io. IN A
;; ANSWER SECTION:
istio.io. 30 IN A 240.240.0.1
;; Query time: 0 msec
;; SERVER: 169.254.169.254#53(169.254.169.254)
;; WHEN: Mon Nov 23 17:
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
meshConfig:
defaultConfig:
proxyMetadata:
ISTIO_META_DNS_CAPTURE: "true"
{
"name": "240.240.0.1_443",
"address": {
"socketAddress": {
"address": "240.240.0.1",
"portValue": 443
}
},
"filterChains": [
{
"filters": [
{
"name": "envoy.filters.network.tcp_proxy",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
"statPrefix": "outbound|443||istio.io",
"cluster": "outbound|443||istio.io",
}
}
]
}
...
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: istio-io
spec:
hosts:
- istio.io
location: MESH_EXTERNAL
ports:
- number: 443
name: https
protocol: TLS
resolution: DNS
dig istio.io
;; QUESTION SECTION:
;istio.io. IN A
;; ANSWER SECTION:
istio.io. 30 IN A 240.240.0.1
;; SERVER: 10.8.0.10#53(10.8.0.10)
curl my-vm.com
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Apache2 Debian Default Page: It works</title>
<style type="text/css" media="screen">
* {
margin: 0px 0px 0px 0px;
padding: 0px 0px 0px 0px;
}
body, html {
padding: 3px 3px 3px 3px;
background-color: #D8DBE2;
font-family: Verdana, sans-serif;
font-size: 11pt;
text-align: center;
}
....
istioctl install --set values.pilot.env.PILOT_ENABLE_WORKLOAD_ENTRY_AUTOREGISTRATION=true
root@helloworld-v1-578dd69f69-fhz52:/opt/microservices# curl my-vm.vm.svc.cluster.local
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
...
apiVersion: v1
kind: Service
metadata:
labels:
name: my-vm
name: my-vm
namespace: vm
spec:
ports:
- name: http
port: 80
targetPort: 80
selector:
app: myvmapi
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: vm
spec:
hosts:
- my-vm.com
ports:
- number: 80
name: http
protocol: HTTP
resolution: STATIC
workloadSelector:
labels:
app: myvmapi
# kubectl get workloadentries -n vm -o yaml myvmapi-10.128.15.211
apiVersion: networking.istio.io/v1beta1
kind: WorkloadEntry
metadata:
annotations:
istio.io/autoRegistrationGroup: myvmapi
creationTimestamp: "2020-11-23T17:55:46Z"
generation: 2
name: myvmapi-10.128.15.211
namespace: vm
resourceVersion: "3055325"
spec:
address: 10.128.15.211
labels:
app: myvmapi
serviceAccount: vm
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment