istio.io/istio@v0.0.0-20240520182934-d79c90f27776/releasenotes/notes/external-name.yaml

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/releasenotes/notes/external-name.yaml (about)

     1  apiVersion: release-notes/v2
     2  kind: bug-fix
     3  area: traffic-management
     4  issues:
     5    - 37331
     6  releaseNotes:
     7    - |
     8      **Improved** support for `ExternalName` services. See Upgrade Notes for more information
     9  upgradeNotes:
    10    - title: "Upcoming `ExternalName` support changes"
    11      content: |
    12        Below describes *upcoming* changes to `ExternalName`.
    13        In this release, there is no behavioral changes by default.
    14        However, you can explicitly opt-in to the new behavior early if desired, and prepare your environments for the upcoming change.
    15        
    16        Kubernetes `ExternalName` `Service`s allow users to create new DNS entries. For example, you can create an `example` service
    17        that points to `example.com`. This is implemented by a DNS `CNAME` redirect.
    18        
    19        In Istio, the implementation of `ExternalName`, historically, was substantially different. Each `ExternalName` represented its own
    20        service, and traffic matching the service was sent to the configured DNS name.
    21        
    22        This caused a few issues:
    23        * Ports are required in Istio, but not in Kubernetes. This can result in broken traffic if ports are not configured as Istio expects, despite them working without Istio.
    24        * Ports not declared as `HTTP` would match *all* traffic on that port, making it easy to accidentally send all traffic on a port to the wrong place.
    25        * Because the destination DNS name is treated as opaque, we cannot apply Istio policies to it as expected. For example, if I point
    26          an external name at another in-cluster Service (for example, `example.default.svc.cluster.local`), mTLS would not be used.
    27        
    28        `ExternalName` support has been revamped to fix these problems. `ExternalName`s are now simply treated as aliases.
    29        Wherever we would match `Host: <concrete service>` we additionally will match `Host: <external name service>`.
    30        Note that the primary implementation of `ExternalName` -- DNS -- is handled outside of Istio in the Kubernetes DNS implementation, and remains unchanged.
    31        
    32        If you are using `ExternalName` with Istio, please be advised of the following behavioral changes:
    33        * The `ports` field is no longer needed, matching Kubernetes behavior. If it is set, it will have no impact.
    34        * `VirtualServices` that match on an `ExternalName` service will generally no longer match. Instead, the match should be rewritten to the referenced service.
    35        * `DestinationRule` can no longer apply to `ExternalName` services. Instead, create rules where the `host` references service.
    36        
    37        These changes are off-by-default in this release, but will be on-by-default in the near future.
    38        To opt-in early, the `ENABLE_EXTERNAL_NAME_ALIAS=true` environment variable can be set.