I’ve set up the routing through the egress gateway as documented in the tutorial. But, there the ServiceEntry is not exporting to only the namespace in which the caller resides and the VirtualService doesn’t use the sourceNamespace either.
I would like to change this setup now to achieve these additional requirements:
- the namespace with the legitimate source service should be able to make the connection via the egress gateway in istio-system (the cluster is running with REGISTRY_ONLY)
- other namespaces should get their connection attempt denied
- other namespaces with legit need for the same destination should be able to have independent configurations that don’t clash (for example different additional ports)
So, as a trial I’ve change the external ServiceEntry in my legit source namespace from exportTo “*” to exportTo “.”. As assumed traffic routing immediate stopped working.
So, I’ve cloned the ServiceEntry into istio-system, where the egress gateway runs, also with exportTo “.” - no success.
Then I’ve split the VirtualService into a part “mesh -> egress gateway” that I retained in my source namespace and a second VirtualService in istio-system with the part “egress gateway -> cluster external” - again no success.
Then I changed the ServiceEntry in the source namespace from MESH_EXTERNAL to MESH_INTERNAL - and still no success.
I’m running out of options now to make the solution work… I must be missing something…
Any idea what I’m missing?