Help configuring istio outside of k8s


#1

I have deployed istio-pilot and pre-requisite applications inside of Docker containers.
I have also deployed consul and envoy. I used the ‘Quick Start on Docker’ from the Istio Docs from the Nomad and Consul section.
I am currently not using side cars as my micro-services are all located inside of pcf. I am currently as a first step in my workflow trying to configure an ingress gateway that allows access to the microservices running inside pcf.

I have this all running inside of a static Envoy configuration. I am working towards making use of consul as service registry and pilot as control plane to provide this configuration dynamically.

I need help determining what I need to put in my VirtualServices, and DestintationRoutes in order to make the registered services in consul available in pilot and then passed as valid xDS configurations to Envoy. I may also need some guidance on what need put in the Envoy configuration. To make those clusters available as dynamic active clusters. As of now I have this working up to the point of these all talking to each other but the only dynamic cluster available is the blackhole cluster.

Note: I had to use [@] to replace [.] as they were being interpreted as external links.
Here is a sample of a registration sent to Consul


    {
            "ID": "dd4a5349-6f98-4ac9-491c-3b4a-0",
            "Name": "person-service-dev",
            "Tags": [
                "version|v1"
            ],
            "Meta": {
                "App_Guid": "9f444ca7-a93f-4c51-af7b-8b1a129906fd",
                "Application_uri_0": "person-service-dev-blue@pcf1test1@somecompany.com",
                "Environment": "dev",
                "Instance_Guid": "dd4a5349-6f98-4ac9-491c-3b4a",
                "Instance_Index": "0",
                "Region": "1",
                "Revision": "aeebbfff-3fe7-45fd-9ca5-53b22734e185",
                "private_IP": "10.3.111.111",
                "private_port": "61016"
            },
            "Port": 443,
            "Address": "person-service-dev@pcf1test1@somecompany.com",
            "Weights": {
                "Passing": 1,
                "Warning": 1
            },
            "EnableTagOverride": false
    }

Here is a sample of the static configuration that works


     "configs": {
      "listeners": {
       "@type": "type.googleapis.com/envoy.admin.v2alpha.ListenersConfigDump",
       "staticListeners": [
        {
         "name": "listener_0",
         "address": {
          ...
          }
         },
         "filterChains": [
          {
          ...
           },
           "filters": [
            {
             "name": "envoy.http_connection_manager",
             "config": {
              "stat_prefix": "ingress_http",
              "add_user_agent": true,
              "route_config": {
               "name": "remote_route",
               "virtual_hosts": [
                {
                 "routes": [
                  {
                   "route": {
                    "prefix_rewrite": "/",
                    "cluster": "person-service-dev_cluster",
                    "auto_host_rewrite": true,
                    "timeout": "5s"
                   },
                   "match": {
                    "prefix": "/v1/config/"
                   }
                  },
     ...
       "clusters": {
       "@type": "type.googleapis.com/envoy.admin.v2alpha.ClustersConfigDump",
       "staticClusters": [
        {
        ...
         "name": "person-service-dev_cluster",
         "type": "STRICT_DNS",
         "connectTimeout": "3s",
         "hosts": [
          {
           "socketAddress": {
            "address": "person-service-dev@pcf1test1@somecompany@com",
            "portValue": 443
           }
          },
          {
           "socketAddress": {
            "address": "person-service-dev@pcf2test1@somecompany@com",
            "portValue": 443
           }
          }
         ],
         "healthChecks": [
          {
           "timeout": "5s",
           "interval": "5s",
           "intervalJitter": "1s",
           "unhealthyThreshold": 5,
           "healthyThreshold": 2,
           "reuseConnection": true,
           "httpHealthCheck": {
            "host": "person-service-dev@somecompany@com",  # this is a dummied value it is just any server page that returns a 200
            "path": "/health"
           }
          }
         ],
         "tlsContext": {
          "commonTlsContext": {
           "validationContext": {
            "trustedCa": {
             "filename": "/etc/ssl/certs/ca-cert-somecompanyrootca.pem"
            }
           }
          },
          ...