# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # TODO: add a gateway injection # TODO: add RBAC to create Service and WorkloadInstance for auto-registration # TODO: option to use ILB ( requires Cloudrun connector ) or regular LB - can be used without connector # apiVersion: v1 kind: Service metadata: name: hgate namespace: istio-system annotations: # The service is not meant for mesh use - excluding from cluster generation. # Since it listens on 80/443, would break whitebox listeners. # TODO: fix whitebox mode to honor UNTRUSTED networking.istio.io/exportTo: . labels: topology.istio.io/network: hbone spec: ports: # Standard port for SNI routing in gateways, same as east-west gateway # Used by envoy, for Istio multi-network inbound traffic. - port: 15443 name: tls - port: 15008 name: https-hbone # 15442 is the dedicated port for SNI to mTLS-over-hbone outbound tunneling. # Not exposed on the public endpoint # Reverse connections - port: 15441 name: https-h2r # Since we're deploying a Gateway, also include the std ports. # It is possible to share the gateway for regular ingress. - port: 443 name: https targetPort: 8443 - port: 80 name: http targetPort: 8080 # Used for docker containers on the public internet, or if CloudRun doesn't use a connector. - port: 15012 name: tls-istiod - port: 16012 name: tcp-istiod selector: app: hgate type: LoadBalancer --- apiVersion: v1 kind: Service metadata: name: hgate-istiod namespace: istio-system spec: ports: - port: 15012 name: tcp-istiod selector: app: istiod istio.io/rev: default --- # https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing # apiVersion: v1 kind: Service metadata: name: internal-hgate namespace: istio-system annotations: networking.gke.io/load-balancer-type: "Internal" cloud.google.com/load-balancer-type: "Internal" networking.gke.io/internal-load-balancer-allow-global-access: "true" labels: topology.istio.io/network: hbone spec: ports: # Standard port for SNI routing in gateways, same as east-west gateway - port: 15443 name: tls # Dedicated port for SNI to mTLS-over-hbone tunneling. - port: 15442 name: tls-tun - port: 15008 name: https-hbone # Reverse connection support. - port: 15441 name: https-h2r # Used for docker containers/VMs on internal VPC, or CloudRun using connector - for in-cluster Istiod. - port: 15012 name: tls-istiod selector: app: hgate type: LoadBalancer ---