Whitelist domain



istio newb hoping to get started once the forthcoming integration with hashicorp’s vault is available (1.1). looking at the documentation for the integration itself, i notice it seems to require whitelisting of the vault installation so that istio does not intercept requests.

The testing Vault server used in this tutorial has the IP address . The configuration global.proxy.excludeIPRanges="" whitelists the IP address of the testing Vault server, so that Envoy will not intercept the traffic from Node Agent to Vault.

in my configuration, vault does not live at a stable IP address, but behind a provider’s load balancer with an unstable pool of addresses, fronted with a stable domain.

is there a way to whitelist domains in the global.proxy settings (or elsewhere)?

any other workarounds for such a scenario?



You could create a service entry for Vault:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
  name: vault-ext
    - vault.example.com
    - number: 80
      name: http
      protocol: HTTP
    - number: 443
      name: https
      protocol: HTTPS
  resolution: DNS
  location: MESH_EXTERNAL