# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # The HBone gateway can also be used to reach in-cluster Istiod. This will be merged with the east-west gateway, # so it needs to keep the same features apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: hgate-istiod namespace: istio-system spec: selector: istio: hgate servers: # Port 15012 is using SNI routing, with mesh identities. # Istiod is expected to use explicit ServerName istiod.istio-system.svc # Other SNI routes can be added explicitly, expectation is to use mTLS or # TLS+JWT - port: name: tls-istiod number: 15012 # Route based on SNI protocol: tls tls: mode: PASSTHROUGH hosts: - "*" - port: name: http number: 80 protocol: HTTP hosts: - "*" - port: name: https number: 443 protocol: HTTP hosts: - "*" - port: name: https-hb number: 15008 protocol: HTTPS tls: mode: ISTIO_MUTUAL hosts: - "*" --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: hgate-istiod namespace: istio-system spec: hosts: - "*" gateways: - hgate-istiod tls: - match: - port: 15012 sniHosts: - "*" route: - destination: host: hgate-istiod.istio-system.svc.cluster.local port: number: 15012 --- # The 'hgate-istiod' is a plain TCP service, disable all TLS-related # discovery. apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: hgate-istiod namespace: istio-system spec: host: hgate-istiod.istio-system.svc.cluster.local trafficPolicy: portLevelSettings: - port: number: 15012 tls: mode: DISABLE