Created
December 5, 2019 18:29
-
-
Save rmichela/80ea94b24ec8965820f3670a99fa9128 to your computer and use it in GitHub Desktop.
Route traffic from inside the mesh to an external host by way of an egress gateway
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Goals | |
| # 1. Route traffic from inside the mesh to an external host by way of an egress gateway. | |
| # 2. Create an abstract name inside the mesh to decouple requests from external hostnames. This gives the | |
| # flexibility to switch between dev, test, and prod external API hostnames by only modifying the egress config. | |
| # 3. Originate TLS at the egress gateway proxy instead of at the in-mesh services. This lets us use our own mTLS | |
| # (or none at all) between services and the egress gateway proxy. | |
| # | |
| # istio-egressgateway.istio-system.svc.cluster.local:80 -> Egress Gateway -> httpstat.us:443 | |
| # Create an internal DNS name for the external destination's abstract name | |
| apiVersion: v1 | |
| kind: Service | |
| metadata: | |
| name: httpstatus-egress | |
| namespace: default | |
| spec: | |
| type: ExternalName | |
| externalName: istio-egressgateway.istio-system.svc.cluster.local # it's got to go somewhere, why not the gateway? | |
| --- | |
| # ServiceEntry to route in-mesh requests to the egress gateway proxy | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: ServiceEntry | |
| metadata: | |
| name: httpstatus-egress | |
| namespace: default | |
| spec: | |
| hosts: | |
| - httpstatus-egress.default.svc.cluster.local # mesh name | |
| ports: | |
| - name: http | |
| number: 80 | |
| protocol: HTTP | |
| location: MESH_INTERNAL | |
| resolution: DNS | |
| endpoints: | |
| - address: istio-egressgateway.istio-system.svc.cluster.local | |
| ports: | |
| http: 80 | |
| --- | |
| # Gateway to define an egress gateway bound to a set of Envoy proxies | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: Gateway | |
| metadata: | |
| name: istio-egressgateway | |
| namespace: default | |
| spec: | |
| selector: | |
| istio: egressgateway | |
| servers: | |
| - hosts: | |
| - httpstatus-egress.default.svc.cluster.local # mesh name | |
| port: | |
| name: http-port-for-tls-origination | |
| number: 80 | |
| protocol: HTTP | |
| --- | |
| # ServiceEntry to route traffic from the egress gateway to the real external hosts, discovered by DNS | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: ServiceEntry | |
| metadata: | |
| name: httpstatus-egress-ext | |
| namespace: default | |
| spec: | |
| hosts: | |
| - httpstat.us # real host name | |
| ports: | |
| - name: http | |
| number: 443 | |
| protocol: HTTP | |
| location: MESH_EXTERNAL | |
| resolution: DNS | |
| endpoints: | |
| - address: httpstat.us | |
| ports: | |
| http: 443 | |
| --- | |
| # VirtualService to route the mesh internal name to the real external host name inside the egress gateway | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: VirtualService | |
| metadata: | |
| name: httpstatus-egress-ext | |
| namespace: default | |
| spec: | |
| gateways: | |
| - istio-egressgateway | |
| hosts: | |
| - httpstatus-egress.default.svc.cluster.local # mesh name | |
| http: | |
| - route: | |
| - destination: | |
| host: httpstat.us # real host name | |
| port: | |
| number: 443 # switch to TLS port | |
| rewrite: # send the real host name to the external service | |
| authority: httpstat.us | |
| --- | |
| # DestinationRule for instructing the egress gateway to originate TLS to external destination | |
| apiVersion: networking.istio.io/v1alpha3 | |
| kind: DestinationRule | |
| metadata: | |
| name: httpstatus-egress-ext | |
| namespace: default | |
| spec: | |
| host: httpstat.us | |
| trafficPolicy: | |
| tls: | |
| mode: SIMPLE |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment