Hi all,
New here & to istio, please be gentle!
I’ve got a cluster set up with strict mTLS and an ingress gateway connecting to a pod hosting a third party front-end.
This front end opens more pods on demand & tries to communicate with them via pod IP. Without completely predictable labels I’m struggling to allow them to communicate via istio. I’ll work on a pull request from that side.
(I’d be very grateful if someone knows whether or nor it’s possible for istio-injected pods to communicate via pod IP when one doesn’t have a service, the child doesn’t have a predictable label, and I only know a potential range for the pod IPs)
In the meantime, I’m finally trying to use these child pods as non-istio injected pods. I’m opening them in another (non-injected) namespace and have defined a ServiceEntry like this:
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: children
namespace: parentnamespace
spec:
hosts:
- '*.childnamespace.svc.cluster.local'
addresses:
- X.X.X.0/19 # a block of IPs matching the internal pod IPs for the children.
ports:
- name: tcp
number: 3838
protocol: TCP
location: MESH_EXTERNAL
I’m still struggling to connect. Any chance I’ve forgotten something obvious? Any pointers on where to debug next would be very welcome.
Many thanks,
Stuart