I tried to follow the documentation to set up inbound mesh expansion with 1.1 on a bare-metal cluster to access in-cluster services from an vm outside of the cluster.
My requests end in a timeout, and they seem to get sent directly to the target pod (and some data directly to a telemetry pod) instead of being sent to the gateway. My podCIDR is not routable from outside the cluster. With the support for multi-cluster I expected this to work in 1.1 by routing through the gateway.
Am I mistaken here and podCIDR must still be routable for inbound mesh expansion or do I just miss some configuration?
I guess mesh expansion machine (VM) cannot access Kubernetes services if mesh expansion machine cannot reach the IP address of endpoints (Pods) directly. (The document you used says “Mesh expansion machines must have IP connectivity to the endpoints in the mesh.”.)
But is it possible to set the endpoint of Istio Mixer for mesh expansion machine’s Envoy to Istio gateway IP address? If so, can we collect the metrics of mesh expansion machine’s Envoy even if the mesh expansion machine cannot reach the IP address of endpoints (Pods)? If anyone know that, I’m glad if you let us know. Thanks.
I’m not sure if it makes sense to revive this discussion, but I still have the use case and I still can’t get it working.
I’m doing another proof of concept with multiple VMs and Istio 1.7 now and try to get inbound mesh expansion working. Istio 1.7 is supposed to support this and I tried to follow the relevant guides for vietual machines in a multi network scenario, since my pod network is not directly routable from the vm network (https://istio.io/latest/docs/examples/virtual-machines/multi-network/ and https://istio.io/latest/docs/setup/install/virtual-machine/).
My main problem is that the envoy config on the vm which wants to connect to the k8s pod still contains a internal pod IP instead of the gateway IP. Funnily, kubernetes-apiserver or calico-typha are contained in the config with the gateway ip, despite not even being istio-enabled. I tried with and without setting up a VirtualService for the destination service (with and without mentioning the cluster-aware-gateway from the documentation).
Wow, I found the part I was stumbling upon now. Your ingress gateway must be of type LoadBalancer to allow auto-discovery of its external IP address (e.g. externalIP is not sufficient). I opened a documentation issue here: https://github.com/istio/istio.io/issues/8211