hi.
istio newb hoping to get started once the forthcoming integration with hashicorp’s vault is available (1.1). looking at the documentation for the integration itself, i notice it seems to require whitelisting of the vault installation so that istio does not intercept requests.
https://preliminary.istio.io/docs/tasks/security/vault-ca/
The testing Vault server used in this tutorial has the IP address
35.233.249.249
. The configurationglobal.proxy.excludeIPRanges="35.233.249.249/32"
whitelists the IP address of the testing Vault server, so that Envoy will not intercept the traffic from Node Agent to Vault.
in my configuration, vault does not live at a stable IP address, but behind a provider’s load balancer with an unstable pool of addresses, fronted with a stable domain.
is there a way to whitelist domains in the global.proxy settings (or elsewhere)?
any other workarounds for such a scenario?
thanks!