istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tests/testdata/config/se-example.yaml (about) 1 # Examples from the doc and site, in namespace examples 2 # The 'egress' example conflicts, it's in separate namespace 3 # 4 # Ports: 5 # - 27018 (mongo) - with VIP 6 # - 443 - SNI routing 7 # - 80 - *.bar.com resolution:NONE example 8 # 9 # - 8000 - virtual entry backed by multiple DNS-based services 10 # - 8001 - unix domain socket 11 # 12 # - 1200 - the inbound service and 13 # - 21200 - the inbound container 14 # 15 apiVersion: networking.istio.io/v1alpha3 16 kind: Sidecar 17 metadata: 18 name: default 19 namespace: seexamples 20 spec: 21 egress: 22 - hosts: 23 - seexamples/* # Doesn't work without this - should be default 24 25 --- 26 # Test workload entry 27 apiVersion: networking.istio.io/v1alpha3 28 kind: ServiceEntry 29 metadata: 30 name: workload 31 namespace: seexamples 32 spec: 33 hosts: 34 - test.seexamples 35 36 ports: 37 - number: 1200 38 name: tcplocal 39 protocol: TCP 40 41 location: MESH_INTERNAL 42 resolution: STATIC 43 44 endpoints: 45 - address: 10.12.0.1 46 ports: 47 tcplocal: 21200 48 --- 49 50 apiVersion: networking.istio.io/v1alpha3 51 kind: ServiceEntry 52 metadata: 53 name: external-svc-mongocluster 54 namespace: seexamples 55 spec: 56 hosts: 57 - mymongodb.somedomain # not used 58 59 addresses: 60 - 192.192.192.192/24 # VIPs 61 62 ports: 63 - number: 27018 64 name: mongodb 65 protocol: MONGO 66 location: MESH_INTERNAL 67 resolution: STATIC 68 endpoints: 69 - address: 2.2.2.2 70 - address: 3.3.3.3 71 72 --- 73 apiVersion: networking.istio.io/v1alpha3 74 kind: DestinationRule 75 metadata: 76 name: mtls-mongocluster 77 namespace: seexamples 78 spec: 79 host: mymongodb.somedomain 80 trafficPolicy: 81 tls: 82 mode: MUTUAL 83 # Envoy test runs in pilot/pkg/xds directory, but envoy process base dir is set to IstioSrc 84 clientCertificate: tests/testdata/certs/default/cert-chain.pem 85 privateKey: tests/testdata/certs/default/key.pem 86 caCertificates: tests/testdata/certs/default/root-cert.pem 87 # Not included in the example, added for testing 88 sni: v1.mymongodb.somedomain 89 subjectAltNames: 90 - service.mongodb.somedomain 91 92 --- 93 #The following example uses a combination of service entry and TLS 94 #routing in virtual service to demonstrate the use of SNI routing to 95 #forward unterminated TLS traffic from the application to external 96 #services via the sidecar. The sidecar inspects the SNI value in the 97 #ClientHello message to route to the appropriate external service. 98 99 apiVersion: networking.istio.io/v1alpha3 100 kind: ServiceEntry 101 metadata: 102 name: external-svc-https 103 namespace: seexamples 104 spec: 105 hosts: 106 - api.dropboxapi.com 107 - www.googleapis.com 108 - api.facebook.com 109 location: MESH_EXTERNAL 110 ports: 111 - number: 443 112 name: https 113 protocol: TLS 114 resolution: DNS 115 116 --- 117 118 apiVersion: networking.istio.io/v1alpha3 119 kind: VirtualService 120 metadata: 121 name: tls-routing 122 namespace: seexamples 123 spec: 124 hosts: 125 - api.dropboxapi.com 126 - www.googleapis.com 127 - api.facebook.com 128 tls: 129 - match: 130 - port: 443 131 sniHosts: 132 - api.dropboxapi.com 133 route: 134 - destination: 135 host: api.dropboxapi.com 136 - match: 137 - port: 443 138 sniHosts: 139 - www.googleapis.com 140 route: 141 - destination: 142 host: www.googleapis.com 143 - match: 144 - port: 443 145 sniHosts: 146 - api.facebook.com 147 route: 148 - destination: 149 host: api.facebook.com 150 --- 151 #The following example demonstrates the use of wildcards in the hosts for 152 #external services. If the connection has to be routed to the IP address 153 #requested by the application (i.e. application resolves DNS and attempts 154 #to connect to a specific IP), the discovery mode must be set to `NONE`. 155 apiVersion: networking.istio.io/v1alpha3 156 kind: ServiceEntry 157 metadata: 158 name: external-svc-wildcard-example 159 namespace: seexamples 160 spec: 161 hosts: 162 - "*.bar.com" 163 location: MESH_EXTERNAL 164 ports: 165 - number: 80 166 name: http 167 protocol: HTTP 168 resolution: NONE 169 170 --- 171 # The following example demonstrates a service that is available via a 172 # Unix Domain Socket on the host of the client. The resolution must be 173 # set to STATIC to use unix address endpoints. 174 175 # Modified to use port 8001 176 apiVersion: networking.istio.io/v1alpha3 177 kind: ServiceEntry 178 metadata: 179 name: unix-domain-socket-example 180 namespace: seexamples 181 spec: 182 hosts: 183 - "example.unix.local" 184 location: MESH_EXTERNAL 185 ports: 186 - number: 8001 187 name: http 188 protocol: HTTP 189 resolution: STATIC 190 endpoints: 191 - address: unix:///var/run/example/socket 192 193 --- 194 195 # For HTTP based services, it is possible to create a VirtualService 196 # backed by multiple DNS addressable endpoints. In such a scenario, the 197 # application can use the HTTP_PROXY environment variable to transparently 198 # reroute API calls for the VirtualService to a chosen backend. For 199 # example, the following configuration creates a non-existent external 200 # service called foo.bar.com backed by three domains: us.foo.bar.com:8080, 201 # uk.foo.bar.com:9080, and in.foo.bar.com:7080 202 203 # Modified to use port 8000 204 apiVersion: networking.istio.io/v1alpha3 205 kind: ServiceEntry 206 metadata: 207 name: external-svc-dns 208 namespace: seexamples 209 spec: 210 hosts: 211 - foo.bar.com 212 location: MESH_EXTERNAL 213 ports: 214 - number: 8000 215 name: http 216 protocol: HTTP 217 resolution: DNS 218 endpoints: 219 - address: us.foo.bar.com 220 ports: 221 # TODO: example uses 'https', which is rejected currently 222 http: 8080 223 - address: uk.foo.bar.com 224 ports: 225 http: 9080 226 - address: in.foo.bar.com 227 ports: 228 http: 7080 229 230 ---