Whitelist domain


#1

hi.

istio newb hoping to get started once the forthcoming integration with hashicorp’s vault is available (1.1). looking at the documentation for the integration itself, i notice it seems to require whitelisting of the vault installation so that istio does not intercept requests.

The testing Vault server used in this tutorial has the IP address 35.233.249.249 . The configuration global.proxy.excludeIPRanges="35.233.249.249/32" whitelists the IP address of the testing Vault server, so that Envoy will not intercept the traffic from Node Agent to Vault.

in my configuration, vault does not live at a stable IP address, but behind a provider’s load balancer with an unstable pool of addresses, fronted with a stable domain.

is there a way to whitelist domains in the global.proxy settings (or elsewhere)?

any other workarounds for such a scenario?

thanks!


#2

You could create a service entry for Vault:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: vault-ext
spec:
  hosts:
    - vault.example.com
  ports:
    - number: 80
      name: http
      protocol: HTTP
    - number: 443
      name: https
      protocol: HTTPS
  resolution: DNS
  location: MESH_EXTERNAL