This repository was archived by the owner on Oct 22, 2021. It is now read-only.
Services generated by fissile make Istio malfunction #510
Description
When Istio is in use on a Kubenrnetes cluster, port names of all Services have to follow the naming convention required by Istio. This is also true when the components generated by fissile are not using Istio themselves. While this can be considered a design flaw and might be fixed in future we have to deal with it somehow in the meanwhile.
Here are a couple of things that could be done to mitigate the issue:
- Add
networking.istio.io/exportTo= .annotation to the Services generated by fissile which are not supposed to be accessed through Istio - helps to work around Limitations around TCP Services make Istio pretty unusable on larger multi-tenant clusters istio/istio#9784 and A service configuration can make all the egress HTTPs service inaccessible istio/istio#14520 - Rename ports to comply with the naming conventions required by Istio https://istio.io/docs/setup/kubernetes/additional-setup/requirements keeping in mind that a certain port number must have the same name prefix over the whole cluster unless the service is scoped to a single namespace by
networking.istio.io/exportTo= ., e.g. for port443the name must always start fromhttps- helps with A service configuration can make all the egress HTTPs service inaccessible istio/istio#14520
Update:
- I looks like I'm mixing two problems here (Limitations around TCP Services make Istio pretty unusable on larger multi-tenant clusters istio/istio#9784 and A service configuration can make all the egress HTTPs service inaccessible istio/istio#14520) though it's fine as they are similar in a way they affect the rest of the cluster and the approaches towards solving the issues are likely to be connected