I’m looking into implementing Istio as a replacement for a HAProxy-Consul based container proxy, which currently allows for containerised services on a slave host to directly talk to the proxy which then forwards to request to any of the available services (routing based on host header). The Istio documentation explicitly states: “When support for non-transparent proxying (application explicitly talks to the sidecar) is available in Istio, this restriction will no longer apply.” when referring to the iptables setup.
This makes me wonder how a conversion from DNS->local proxy IP->actual service IP + Port->service towards transparent proxying is going to work. Does Istio (and Envoy) use all service+port combinations from (in this case) the Consul service catalog so that a call to any of the addresses and port combinations gets routed to any one of the adress+port combinations for all instances of that service?
Another question: the sidecar, when running with kubernetes runs for each pod, but in mesos, a slave might have a variety of container instances for different services all running on that one host, with one IP and different ingress ports. I’m assuming that I won’t need to run a sidecar for every container instance on one such slave, but one sidecar per slave would do?