External-dns: [Discussion] Support for istio VirtualService as source

Created on 3 Jan 2020  路  6Comments  路  Source: kubernetes-sigs/external-dns

Use case:
Istio allows you to use a "central" Gateway e.g. in the istio-system namespace that you can refer to in your VirtualService via <namespace>/<gateway>. We want to use it that way so that we don't need to specify the gateway configuration (ports, TLS settings) for each app / namespace.

Current situation:
Right now, only istio Gateways are supported as a source. Also, if you want to put another ingress (e.g. backed by an AWS ALB) in front of the istio ingress gateway and want to use HTTPS between the ingress and the ingress gateway, you _need_ to specify the hosts field in the Gateway as *, otherwise the envoy proxy will expect the SNI field to be set to one of the given hosts values for incoming requests (which the ALB doesn't seem to set). However, setting this field to * prevents you from entering a hostname that external-dns will extract as an endpoint.

Proposed solution:
Add another source for istio VirtualServices. They also have a hosts field that can be used to extract endpoints for external-dns and setting this field does not require SNI in incoming requests. For extracting the targets for these endpoints, external-dns could have a look at gateways field of the VirtualService (e.g. use the first one if there are multiple) and then apply the same logic that is currently in place for Gateways already or expect the external-dns.alpha.kubernetes.io/target annotation on the VirtualService.

Related issues: #1339, #1046

picture devkid
👍12

Most helpful comment

I'm working on an implementation now.

picture devkid on 7 Jan 2020
👍9

All 6 comments

I'm working on an implementation now.

devkid picture devkid on 7 Jan 2020
👍9

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

fejta-bot picture fejta-bot on 6 Apr 2020

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

fejta-bot picture fejta-bot on 6 May 2020

I'm looking forward to it.

jullianoacqio picture jullianoacqio on 16 May 2020

/remove-lifecycle rotten

tariq1890 picture tariq1890 on 19 May 2020

That would be a tremendous contribution! I have the same architecture you described. One istio gateway behind ALB provided by alb-ingress-controller. This istio gateway is managed by cluster admins and the development teams manage their virtual services.
With nginx-ingress-controller, I managed to create an ingress alb (host: *) and, with the annotation external-dns.alpha.kubernetes.io/hostname on it, created a custom DNS (e.g: my-nginx.domain.com) and, set the flag publish-status-address in the nginx-ingress-controller to the same domain.
With this configuration the ADDRESS of nginx ingresses will have the value my-nginx.domain.com and external-dns is able to create records in route53.

Now need to have something similar for istio vs. Looking forward to it. Thanks.

andrecastro picture andrecastro on 2 Jun 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Fettah picture Fettah  路  4Comments
szuecs picture szuecs  路  4Comments
njuettner picture njuettner  路  4Comments
nyetwurk picture nyetwurk  路  4Comments
dryewo picture dryewo  路  3Comments