Skip to content

Latest commit

 

History

History
104 lines (89 loc) · 3.19 KB

admission_controller.md

File metadata and controls

104 lines (89 loc) · 3.19 KB

Addmission Controller

This service runs a mutating webhook on /mutate.

TLS Mutation Logic

  • Given a Gateway labeled for management by the controller.
  • Inspect each Server entry.
  • For each server that sets tls.mode = SIMPLE construct a tls.credentialName using the following format: <namespace>-<gateway name>-<port-name>

For example:

---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: httpbin-gateway
  namespace: default
  labels:
    "v1beta1.kanopy-platform.github.io/istio-cert-controller-inject-simple-credential-name": "true"
spec:
  selector:
    istio: ingressgateway
  servers:
    - port:
        number: 443
        name: https
        protocol: HTTPS
      hosts:
        - "default/httpbin.example.com"
      tls:
        mode: SIMPLE

The mutated object will contain the following tls.credentialName=default-httpbin-gateway-https.

Since the tls.credentialName is used to name the Certificate and Secret resources it is subject to the 253 max character limit. The <namespace>-<gateway-name> will be truncated accordingly to preserve the portName

The Controller is responsible for the reconciliation of the referenced Certificate and Secret resources.

External DNS Annotation Mutation Logic

The external-dns mutation feature will remove the external-dns.alpha.kubernetes.io/hostname and remove or mutate external-dns.alpha.kubernetes.io/target annotations from all istio gateway objects. The hsotname annotation is removed since:

  1. external-dns will always use the hosts list from the gateway server block when generating dns entries.
  2. istio requires the host on the gateway to route the request properly
  • If the controller has external-dns management enabled
  • If the namespace the gateway is created in is subject to mutation
    • Delete the external-dns.alpha.kubernetes.io/hostname annotation if present.
    • If externalDNSConfig.target is a non-empty value, et the external-dns.alpha.kubernetes.io/target value to the
    • Else delete the annotation

For example, with --external-dns-target=loadbalancer-vanity.example.com set, the gateway configuration of:

---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: httpbin-gateway
  namespace: default
  annotations:
    external-dns.alpha.kubernetes.io/hostname: "tobedeleted.gateway.example.com"
    external-dns.alpha.kubernetes.io/target: "anotherhost.example.com"
spec:
  selector:
    istio: ingressgateway
  servers:
    - port:
        number: 443
        name: https
        protocol: HTTPS
      hosts:
        - "default/httpbin.example.com"
      tls:
        mode: SIMPLE

will become:

---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: httpbin-gateway
  namespace: default
  annotations:
    external-dns.alpha.kubernetes.io/target: "loadbalancer-vanity.example.com"
spec:
  selector:
    istio: ingressgateway
  servers:
    - port:
        number: 443
        name: https
        protocol: HTTPS
      hosts:
        - "default/httpbin.example.com"
      tls:
        mode: SIMPLE