I am writing a service to coordinate Istio control planes in a "replicated control planes" configuration. I have managed to programmatically create ServiceEntry
objects that correctly route between clusters – multicluster routing works great! Things even fail over correctly between clusters without any extra config. An example of a service entry that my app creates looks like this:
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: httpbin-no-proxy.httpbin
namespace: my-app
spec:
addresses:
- 245.0.0.1
endpoints:
# Some remote cluster ingress
- address: 172.18.0.3
labels:
app: httpbin
my-app/managed: cluster-1
identity: httpbin
ports:
http: 15443
- address: httpbin-no-proxy.httpbin.svc.cluster.local
labels:
app: httpbin-no-proxy
my-app/managed: cluster-2
identity: httpbin
ports:
http: 8000
hosts:
- httpbin-no-proxy.httpbin.global
location: MESH_INTERNAL
ports:
- name: http
number: 8000
protocol: http
resolution: DNS
However... In order to make it easier to onboard services, I would like to enable this functionality for service pairs where the client/server are in different clusters AND the server does not yet have istio injected.
This doesn't work out of the box (either in-cluster or out-of-cluster) because, with the requisite ServiceEntry
in place in the server cluster, Istio does not terminate mTLS at the ingress gateway – the service receives encrypted traffic!
Within my cluster I am able to configure termination for sidecars using a destinationrule, like so:
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: httpbin-no-proxy.httpbin
spec:
host: httpbin-no-proxy.httpbin.global
trafficPolicy:
outlierDetection:
baseEjectionTime: 120s
consecutiveErrors: 10
interval: 5s
minHealthPercent: 49
tls:
mode: DISABLE
This makes the .global
work internally within the server cluster – traffic from pods with a sidecar in the server cluster is no longer encrypted when it reaches the server. But this doesn't take effect when traversing the ingress gateway, even if I create the DestinationRule
in the istio-system
or istio-config
namespaces.
What makes the ingress proxy instance special, and how do I get an ingress gateway to connect to an upstream (server) in plaintext?