Update egress tasks (#8343)

* Update egress tasks

* regen
This commit is contained in:
Frank Budinsky 2020-10-23 12:37:52 -04:00 committed by GitHub
parent 4d70e1c44c
commit 7bf89ace1a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 43 additions and 89 deletions

View File

@ -13,7 +13,7 @@ test: yes
This example does not work in Minikube.
{{</warning>}}
The [Control Egress Traffic](/docs/tasks/traffic-management/egress/) task shows how to configure
The [Accessing External Services](/docs/tasks/traffic-management/egress/egress-control) task shows how to configure
Istio to allow access to external HTTP and HTTPS services from applications inside the mesh.
There, the external services are called directly from the client sidecar.
This example also shows how to configure Istio to call external services, although this time

View File

@ -9,9 +9,9 @@ aliases:
- /docs/examples/advanced-gateways/egress-tls-origination/
---
The [Control Egress Traffic](/docs/tasks/traffic-management/egress/) task demonstrates how external, i.e., outside of the
service mesh, HTTP and HTTPS services can be accessed from applications inside the mesh. As described in that task,
a [`ServiceEntry`](/docs/reference/config/networking/service-entry/) is used to configure Istio
The [Accessing External Services](/docs/tasks/traffic-management/egress/egress-control) task demonstrates how external,
i.e., outside of the service mesh, HTTP and HTTPS services can be accessed from applications inside the mesh. As described
in that task, a [`ServiceEntry`](/docs/reference/config/networking/service-entry/) is used to configure Istio
to access external services in a controlled way.
This example shows how to configure Istio to perform {{< gloss >}}TLS origination{{< /gloss >}}
for traffic to an external service. Istio will open HTTPS connections to the external service while the original
@ -57,10 +57,10 @@ is that Istio can produce better telemetry and provide more routing control for
## Configuring access to an external service
First start by configuring access to an external service, `edition.cnn.com`,
using the same technique shown in the [Control Egress Traffic](/docs/tasks/traffic-management/egress/) task.
using the same technique shown in the [Accessing External Services](/docs/tasks/traffic-management/egress/egress-control) task.
This time, however, use a single `ServiceEntry` to enable both HTTP and HTTPS access to the service.
1. Create a `ServiceEntry` and `VirtualService` to enable access to `edition.cnn.com`:
1. Create a `ServiceEntry` to enable access to `edition.cnn.com`:
{{< text syntax=bash snip_id=apply_simple >}}
$ kubectl apply -f - <<EOF
@ -79,25 +79,6 @@ This time, however, use a single `ServiceEntry` to enable both HTTP and HTTPS ac
name: https-port
protocol: HTTPS
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: edition-cnn-com
spec:
hosts:
- edition.cnn.com
tls:
- match:
- port: 443
sniHosts:
- edition.cnn.com
route:
- destination:
host: edition.cnn.com
port:
number: 443
weight: 100
EOF
{{< /text >}}
@ -133,27 +114,27 @@ Both of these issues can be resolved by configuring Istio to perform TLS origina
## TLS origination for egress traffic
1. Redefine your `VirtualService` from the previous section to rewrite the HTTP request port
and add a `DestinationRule` to perform TLS origination.
1. Redefine your `ServiceEntry` from the previous section to redirect HTTP requests to port 443
and add a `DestinationRule` to perform TLS origination:
{{< text syntax=bash snip_id=apply_origination >}}
$ kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
kind: ServiceEntry
metadata:
name: edition-cnn-com
spec:
hosts:
- edition.cnn.com
http:
- match:
- port: 80
route:
- destination:
host: edition.cnn.com
subset: tls-origination
port:
number: 443
ports:
- number: 80
name: http-port
protocol: HTTP
targetPort: 443
- number: 443
name: https-port
protocol: HTTPS
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
@ -161,21 +142,17 @@ Both of these issues can be resolved by configuring Istio to perform TLS origina
name: edition-cnn-com
spec:
host: edition.cnn.com
subsets:
- name: tls-origination
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 443
tls:
mode: SIMPLE # initiates HTTPS when accessing edition.cnn.com
trafficPolicy:
portLevelSettings:
- port:
number: 80
tls:
mode: SIMPLE # initiates HTTPS when accessing edition.cnn.com
EOF
{{< /text >}}
As you can see, the `VirtualService` redirects HTTP requests on port 80 to port 443 where the corresponding
`DestinationRule` then performs the TLS origination.
The above `DestinationRule` will perform TLS origination for HTTP requests on port 80 and the `ServiceEntry`
will then redirect the requests on port 80 to target port 443.
1. Send an HTTP request to `http://edition.cnn.com/politics`, as in the previous section:

View File

@ -49,25 +49,6 @@ spec:
name: https-port
protocol: HTTPS
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: edition-cnn-com
spec:
hosts:
- edition.cnn.com
tls:
- match:
- port: 443
sniHosts:
- edition.cnn.com
route:
- destination:
host: edition.cnn.com
port:
number: 443
weight: 100
EOF
}
@ -88,21 +69,21 @@ ENDSNIP
snip_apply_origination() {
kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
kind: ServiceEntry
metadata:
name: edition-cnn-com
spec:
hosts:
- edition.cnn.com
http:
- match:
- port: 80
route:
- destination:
host: edition.cnn.com
subset: tls-origination
port:
number: 443
ports:
- number: 80
name: http-port
protocol: HTTP
targetPort: 443
- number: 443
name: https-port
protocol: HTTPS
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
@ -110,16 +91,12 @@ metadata:
name: edition-cnn-com
spec:
host: edition.cnn.com
subsets:
- name: tls-origination
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 443
tls:
mode: SIMPLE # initiates HTTPS when accessing edition.cnn.com
trafficPolicy:
portLevelSettings:
- port:
number: 80
tls:
mode: SIMPLE # initiates HTTPS when accessing edition.cnn.com
EOF
}

View File

@ -9,7 +9,7 @@ owner: istio/wg-networking-maintainers
test: yes
---
The [Control Egress Traffic](/docs/tasks/traffic-management/egress/) task and
The [Accessing External Services](/docs/tasks/traffic-management/egress/egress-control) task and
the [Configure an Egress Gateway](/docs/tasks/traffic-management/egress/egress-gateway/) example
describe how to configure egress traffic for specific hostnames, like `edition.cnn.com`.
This example shows how to enable egress traffic for a set of hosts in a common domain, for