I’m looking into extending our Istio mesh onto VMs. These VMs run docker containers with host networking. The containers are orchestrated by Nomad.
I managed to do a POC, where I run one application on a VM, however, this requires the workloadgroup to have the details for a single application. As this workloadgroup is used to bootstrap the proxy sidecar, I don’t see a way to run multiple, different applications on a VM. Is this even possible?
So yes, you can do this.
The workloadgroup is not necessarily hard connected to the workloadentries.
Having a workloadgroup like:
apiVersion: networking.istio.io/v1alpha3
kind: WorkloadGroup
metadata:
name: virtual-machines
namespace: default
spec:
template:
serviceAccount: istio-vm
network: “${NETWORK}”
Can be used to bootstrap a sidecar proxy on the VM.
This then needs to be used like such:
istioctl x workload entry configure -f workloadgroup.yaml -o output-dir --clusterID “my-cluster” --ingressIP ${K8S_INGRESS_IP}
Then for each application, just supply a separate workloadentry:
apiVersion: networking.istio.io/v1alpha3
kind: WorkloadEntry
metadata:
name: my-pod-id
labels:
app: my-app
spec:
serviceAccount: istio-vm
address: ${VM_IP}
ports:
http: 1234 # may differ per ‘pod’ and VM, as the service below uses the port NAME
labels:
app: my-app
After which the workload entries can be grouped into a kubernetes service:
apiVersion: v1
kind: Service
metadata:
labels:
app: my-app
name: my-app
spec:
type: ClusterIP
ports:
- name: http
port: 80
targetPort: http # connect to the workloadEntry port by name, to allow different ports per ‘pod’
selector:
app: my-app # find the workloadEntry