Reputation: 353
Istio gateway internal proxy
I'm looking for an internal cluster proxy and on Istio's Gateway documentation i found the following:
You can also use a gateway to configure a purely internal proxy
So my question is how i could do that? I assume that the specific implementation it's just a single envoy running on the cluster. For the Gateway's manifest, selector is required which most of the times it's the ingressgateway that handles traffic coming from outside the cluster. What should be the selector in my case, since i need the internal implementaition?
Upvotes: 3
Views: 444
Answers (1)
Reputation: 8830
You can use istio mesh gateway for that.
There is an example in istio documentation, take a look at the bold font.
For example, the following VirtualService splits traffic for https://uk.bookinfo.com/reviews, https://eu.bookinfo.com/reviews, http://uk.bookinfo.com:9080/reviews, http://eu.bookinfo.com:9080/reviews into two versions (prod and qa) of an internal reviews service on port 9080. In addition, requests containing the cookie “user: dev-123” will be sent to special port 7777 in the qa version. The same rule is also applicable inside the mesh for requests to the “reviews.prod.svc.cluster.local” service. This rule is applicable across ports 443, 9080. Note that http://uk.bookinfo.com gets redirected to https://uk.bookinfo.com (i.e. 80 redirects to 443).
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bookinfo-rule
namespace: bookinfo-namespace
spec:
hosts:
- reviews.prod.svc.cluster.local
- uk.bookinfo.com
- eu.bookinfo.com
gateways:
- some-config-namespace/my-gateway
- mesh # applies to all the sidecars in the mesh
http:
- match:
- headers:
cookie:
exact: "user=dev-123"
route:
- destination:
port:
number: 7777
host: reviews.qa.svc.cluster.local
- match:
- uri:
prefix: /reviews/
route:
- destination:
port:
number: 9080 # can be omitted if it's the only port for reviews
host: reviews.prod.svc.cluster.local
weight: 80
- destination:
host: reviews.qa.svc.cluster.local
weight: 20
As it's not well described in documentation I have prepared two examples with nginx pods, take a look here and here.
Upvotes: 3
Related Questions
- Access external jwksuri behind a company proxy
- Istio - redirect request to external url
- Inbound Istio Ingress Gateway Metrics
- Can I use Istio VirtualService without a Gateway?
- Istio Virtual Service - Proxy to external HTTPS service
- Use Istio to filter traffic to an external proxy
- Istio proxy_pass from external resources
- How to assign an external IP to the Istio Ingress Gateway with IstioOperator? [GKE]
- ISTIO GRPC Gateway configuration
- How do I create an internal gateway using Istio?