# =========================================================================== # PASSTHROUGH path — sleep@mesh-test --(SNI route)--> egw-pt@egress-pt --> example.org:443 # 앱 TLS는 end-to-end. gateway는 복호화하지 않고 SNI(example.org)로만 라우팅. # # host로 example.org 사용(example.com은 기존 example-logicaldns 데모 SE 전용으로 비움 — # 같은 host를 두 SE가 잡으면 sidecar에서 충돌). 내 SE는 resolution: DNS(=STRICT_DNS)라 # multi-IP host도 안전하다(LOGICAL_DNS의 단일-endpoint 제약에 걸리지 않음). # # scoping 규율(why split): client용 VS와 gateway용 VS를 분리하고 exportTo로 가시성을 # 좁힌다. 그래야 mesh route가 다른 ns sidecar로 퍼지지 않고(=host 충돌 방지), gateway # route는 gateway ns에서만 관리된다. 자세한 근거는 gw__note-egress-vs-scoping. # =========================================================================== apiVersion: networking.istio.io/v1beta1 kind: ServiceEntry metadata: name: pt-ext namespace: mesh-test spec: # 외부 host 정보를 "client sidecar(.)"와 "egress-pt gateway"에만 노출. 메시 전역 노출 금지. exportTo: - "." - "egress-pt" hosts: - example.org ports: - number: 443 name: tls protocol: TLS # protocol TLS 라야 tls.sniHosts 라우팅이 붙는다(TCP면 SNI 못 봄) resolution: DNS # STRICT_DNS — multi-IP A record를 모두 endpoint로 펼침(안전) --- apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: egw-pt-gateway namespace: egress-pt # Gateway 리소스와 gateway workload가 같은 ns (PILOT_SCOPE_GATEWAY_TO_NAMESPACE 대비) spec: selector: istio: egw-pt # egress-pt의 egw-pt pod만 선택 servers: - port: number: 443 name: tls protocol: TLS hosts: - example.org tls: mode: PASSTHROUGH # 복호화 없음 — SNI 기준 라우팅만 --- apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: egw-pt-dr namespace: mesh-test spec: exportTo: - "." # client sidecar만 이 DR을 본다 host: egw-pt.egress-pt.svc.cluster.local # Helm release name(egw-pt) = Service name subsets: - name: pt # passthrough는 TLS 정책 없음 — subset 식별만 --- # (1) client sidecar -> egress-pt gateway apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: pt-client namespace: mesh-test spec: exportTo: - "." # mesh-test sidecar에만 보이는 mesh route hosts: - example.org gateways: - mesh tls: - match: - gateways: - mesh port: 443 sniHosts: - example.org route: - destination: host: egw-pt.egress-pt.svc.cluster.local subset: pt port: number: 443 weight: 100 --- # (2) egress-pt gateway -> external host apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: pt-gateway namespace: egress-pt spec: exportTo: - "." # egress-pt gateway에서만 관리되는 route hosts: - example.org gateways: - egw-pt-gateway tls: - match: - gateways: - egw-pt-gateway port: 443 sniHosts: - example.org route: - destination: host: example.org port: number: 443 weight: 100