I'm struggling with configuring Istio service mesh, especially domain resolving which are accessible by only internal services.
My question is, when does a ServiceEntry with the resolution field set to "DNS" resolve the hosts field values and apply them to the Istio routing table?
For example, when does the "mine.ops.hm-net" domain get resolved as "mine-ops-service"?
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: internal-service-entry
spec:
hosts:
- "mine.ops.hm-net"
ports:
- name: http
number: 80
protocol: HTTP
location: MESH_INTERNAL
resolution: DNS
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: mine-ops-vs
namespace: mine-ops
spec:
hosts:
- mine.ops.hm-net
gateways:
- mesh
http:
- route:
- destination:
host: mine-ops-service
port:
number: 80
Possible scenarios I can imagine are:
I'm curious about this because a ServiceEntry with a wildcard host (such as *.ops.hm-net) fails to resolve.
It would make sense if the ServiceEntry updates the Istio routing table only when it's registered (first scenario) because there's no way to know the endpoint address with *.opt.hm-net.
I've read Istio's official DNS proxying and ServiceEntry docs several times, but there's no mention of my question.
Thank you for reading!
I asked the same question in the istio community and was told that the first scenario is the answer (update the routing table even when the ttl expires).