Whitelist domain

dustinac · February 11, 2019, 5:09pm

hi.

istio newb hoping to get started once the forthcoming integration with hashicorp’s vault is available (1.1). looking at the documentation for the integration itself, i notice it seems to require whitelisting of the vault installation so that istio does not intercept requests.

https://preliminary.istio.io/docs/tasks/security/vault-ca/

The testing Vault server used in this tutorial has the IP address 35.233.249.249 . The configuration global.proxy.excludeIPRanges="35.233.249.249/32" whitelists the IP address of the testing Vault server, so that Envoy will not intercept the traffic from Node Agent to Vault.

in my configuration, vault does not live at a stable IP address, but behind a provider’s load balancer with an unstable pool of addresses, fronted with a stable domain.

is there a way to whitelist domains in the global.proxy settings (or elsewhere)?

any other workarounds for such a scenario?

thanks!

stefanprodan · February 12, 2019, 2:03pm

You could create a service entry for Vault:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: vault-ext
spec:
  hosts:
    - vault.example.com
  ports:
    - number: 80
      name: http
      protocol: HTTP
    - number: 443
      name: https
      protocol: HTTPS
  resolution: DNS
  location: MESH_EXTERNAL

incfly · May 20, 2019, 8:57pm

I filed a bug about this, https://github.com/istio/istio/issues/14253

Comments are welcome.

Topic		Replies	Views
Instructions for configuring Vault for CA integration Security	4	1863	July 10, 2019
503 when implementing egress tls origination	4	1432	July 31, 2020
Trying to integrating Istio with Azure Keyvault	1	306	November 15, 2023
Vault CA support for Istio 1.3 Security	15	990	October 7, 2019
Integrate Vault as External Root CA with cert-manager	0	359	April 29, 2022

Whitelist domain

Related Topics