I’m trying to expose a specific service on a widely distributed multi-cloud set of kube clusters to a central control cluster. The goal is for the central control cluster to be able to discover, enumerate, and make outbound connections to the spoke services without having any public-reachable IPs or listening ports on the spokes.
Istio’s support for multi-network clusters with mesh federation looks to be ideal for the job, except that it requires mutual reachability over the public Internet. For a variety of reasons (compliance box-ticking, spokes behind NAT, etc) I need to have all the spokes initiate connections to the hub/control, and have all hub-to-spoke connections flow over a tunnel initiated by the spokes.
The desired model is similar to that used by Teleport - where the Teleport agents make persistent outbound connections to the Teleport Proxy, and the Teleport Proxy uses those to reverse-tunnel traffic back through the agents to the destination services. Unfortunately it looks like Teleport is unsuitable for this job in other ways - mainly due to overheads,
As far as I can tell the Istio Gateway and Istio Proxy do not offer any support for reverse tunnels.
If I could configure an Istio Proxy on the spoke networks to make outbound connections to the Istio Gateway or Proxy on the hub to establish reverse tunnels that Istio would use to route requests from hub services to exposed spoke services, that’d be ideal. But it doesn’t seem to be possible.
Anyone else had similar issues? Were you able to solve this with Istio? Or some other tool? I’ve been very surprised by how limited the options for this seemingly-obvious problem seem to be.