istioistio-sidecaristio-gateway

Routing traffic between namespace without Istio to namespace with Istio

In my cluster I have multiple namespaces. All my 1st-party services are running in one namespace and all 3rd-party services are running in their own namespaces.

I have Istio enabled on my 1st-party namespace (let’s call it ns-1 ). Istio is not enabled for any of my 3rd-party namespaces.

I have a 3rd-party service that needs to connect to my 1st-party service. The 3rd-party service will use k8s DNS like service1.ns-1.svc.cluster.local to connect to my service. The 3rd-party service can communicate to my 1st-party service without TLS. When I enable TLS between the service it fails and I don’t know how/where to terminate the TLS?

Is it possible to define a Gateway that can route traffic between namespaces? or it is possible to route traffic between namespaces through Istio IngressGateway

Solution

  • After playing with Istio & Minikube with echo-server exams this is what I found. First let me define the namespaces and services so it will be easy to explain

    Below are connections status between these 2 services

    You may know already in 4th case above (service-2 with TLS) the TLS is not terminated by any Istio objects which is causing this to failure.

    If the TLS can be terminate by a sidecar this can work. added tls to sidecar api is what I am looking for but it is not in current Istio release (1.12.2 as of this answer)

    What I ended up doing?

    I deployed another istio-ingressGateway with service type as ClusterIP set it to route traffic for my ports. This will be the gateway for all my 3rd-party services to reach my 1st-party services and it will terminate TLS for incoming traffic and do mTLS to services in the istio namespace (ns-1). Since this is a ClusterIP it will be visible only inside the cluster. I then configured Istio Gateway and VirtualService objects to route traffic to my services based on port numbers.