From 77f5dea4cef7be69d72f0e71dd271ab9fcd78844 Mon Sep 17 00:00:00 2001 From: Faseela K Date: Wed, 13 Nov 2024 15:43:45 +0100 Subject: [PATCH 1/9] Document DNS Auto Allocation Version 2 Signed-off-by: Faseela K --- .../traffic-management/dns-proxy/index.md | 63 +++++++++++++++++++ .../traffic-management/dns-proxy/snips.sh | 51 +++++++++++++++ .../traffic-management/dns-proxy/test.sh | 14 ++++- 3 files changed, 127 insertions(+), 1 deletion(-) diff --git a/content/en/docs/ops/configuration/traffic-management/dns-proxy/index.md b/content/en/docs/ops/configuration/traffic-management/dns-proxy/index.md index bafd75f830b2d..802311adb0f14 100644 --- a/content/en/docs/ops/configuration/traffic-management/dns-proxy/index.md +++ b/content/en/docs/ops/configuration/traffic-management/dns-proxy/index.md @@ -100,6 +100,10 @@ to [the following section](#external-tcp-services-without-vips) for more details To work around these issues, the DNS proxy additionally supports automatically allocating addresses for `ServiceEntry`s that do not explicitly define one. This is configured by the `ISTIO_META_DNS_AUTO_ALLOCATE` option. +{{< tip >}} +Please see [DNS Auto Allocation V2](/docs/ops/configuration/traffic-management/dns-proxy/#dns-auto-allocation-v2) for a new enhanced implementation of auto allocation supported by Istio from 1.21 onwards. +{{< /tip >}} + When this feature is enabled, the DNS response will include a distinct and automatically assigned address for each `ServiceEntry`. The proxy is then configured to match requests to this IP address, and forward the request to the corresponding `ServiceEntry`. When using `ISTIO_META_DNS_AUTO_ALLOCATE`, Istio will automatically allocate non-routable VIPs (from the Class E subnet) to such services as long as they do not use a wildcard host. The Istio agent on the sidecar will use the VIPs as responses to the DNS lookup queries from the application. Envoy can now clearly distinguish traffic bound for each external TCP service and forward it to the right target. For more information check respective [Istio blog about smart DNS proxying](/blog/2020/dns-proxy/#automatic-vip-allocation-where-possible). {{< warning >}} @@ -219,6 +223,65 @@ A virtual IP address will be assigned to every service entry so that client side ADDRESS=240.240.69.138, DESTINATION=Cluster: outbound|9000||tcp-echo.external-1.svc.cluster.local {{< /text >}} +## DNS Auto Allocation V2 + +Istio now offers an enhanced implementation of DNS Auto Allocation. To use the new feature, replace the feature flag `ISTIO_META_DNS_AUTO_ALLOCATE` which was used in the previous example, with `PILOT_ENABLE_IP_AUTOALLOCATE` while installing Istio. All examples given so far would work as is. + + {{< text bash >}} + $ cat <}} + +Users also have the flexibility for more granular configuration by adding the label `networking.istio.io/enable-autoallocate-ip="true/false"` to their `ServiceEntry`. This label configures whether a `ServiceEntry` without any `spec.addresses` set should get an IP address automatically allocated for it. + +To try this out, update the existing `ServiceEntry` with the opt-out label: + +{{< text bash >}} +$ kubectl apply -f - <}} + +Now, send a request and verify that the auto allocation is no longer happening: + +{{< text bash >}} +$ kubectl exec deploy/curl -- curl -sS -v auto.internal +* Could not resolve host: auto.internal +* shutting down connection #0 +{{< /text >}} + + ## Cleanup {{< text bash >}} diff --git a/content/en/docs/ops/configuration/traffic-management/dns-proxy/snips.sh b/content/en/docs/ops/configuration/traffic-management/dns-proxy/snips.sh index 00cf65d372640..3bbefad7e9c2e 100644 --- a/content/en/docs/ops/configuration/traffic-management/dns-proxy/snips.sh +++ b/content/en/docs/ops/configuration/traffic-management/dns-proxy/snips.sh @@ -160,6 +160,57 @@ ADDRESS=240.240.105.94, DESTINATION=Cluster: outbound|9000||tcp-echo.external-2. ADDRESS=240.240.69.138, DESTINATION=Cluster: outbound|9000||tcp-echo.external-1.svc.cluster.local ENDSNIP +snip_dns_auto_allocation_version_2_1() { +cat < Date: Wed, 13 Nov 2024 16:01:14 +0100 Subject: [PATCH 2/9] fix gencheck Signed-off-by: Faseela K --- .../configuration/traffic-management/dns-proxy/snips.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/content/en/docs/ops/configuration/traffic-management/dns-proxy/snips.sh b/content/en/docs/ops/configuration/traffic-management/dns-proxy/snips.sh index 3bbefad7e9c2e..e412f24fd76a8 100644 --- a/content/en/docs/ops/configuration/traffic-management/dns-proxy/snips.sh +++ b/content/en/docs/ops/configuration/traffic-management/dns-proxy/snips.sh @@ -160,7 +160,7 @@ ADDRESS=240.240.105.94, DESTINATION=Cluster: outbound|9000||tcp-echo.external-2. ADDRESS=240.240.69.138, DESTINATION=Cluster: outbound|9000||tcp-echo.external-1.svc.cluster.local ENDSNIP -snip_dns_auto_allocation_version_2_1() { +snip_dns_auto_allocation_v2_1() { cat < Date: Wed, 13 Nov 2024 17:03:02 +0100 Subject: [PATCH 3/9] fix tests Signed-off-by: Faseela K --- .../ops/configuration/traffic-management/dns-proxy/test.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/en/docs/ops/configuration/traffic-management/dns-proxy/test.sh b/content/en/docs/ops/configuration/traffic-management/dns-proxy/test.sh index c28b4facefd46..add242f9565b1 100644 --- a/content/en/docs/ops/configuration/traffic-management/dns-proxy/test.sh +++ b/content/en/docs/ops/configuration/traffic-management/dns-proxy/test.sh @@ -46,7 +46,7 @@ _verify_lines snip_external_tcp_services_without_vips_5 " " # enable enhanced dns auto allocation and verify all the above steps once again -snip_dns_auto_allocation_version_2_1 +snip_dns_auto_allocation_v2_1 _verify_contains snip_dns_capture_in_action_3 "$snip_dns_capture_in_action_3_out" _verify_contains snip_address_auto_allocation_2 "* Trying 240.240." _verify_lines snip_external_tcp_services_without_vips_5 " @@ -54,8 +54,8 @@ _verify_lines snip_external_tcp_services_without_vips_5 " + outbound|9000||tcp-echo.external-1.svc.cluster.local " # verify opt-out -snip_dns_auto_allocation_version_2_2 -_verify_contains snip_dns_auto_allocation_version_2_3 "$snip_dns_auto_allocation_version_2_3_out" +snip_dns_auto_allocation_v2_2 +_verify_contains snip_dns_auto_allocation_v2_3 "$snip_dns_auto_allocation_v2_3_out" # @cleanup From efa6faa4c26169f6f9ff1e2d5e76c98aaac3e564 Mon Sep 17 00:00:00 2001 From: Faseela K Date: Wed, 13 Nov 2024 17:17:47 +0100 Subject: [PATCH 4/9] fix lint Signed-off-by: Faseela K --- .../docs/ops/configuration/traffic-management/dns-proxy/index.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/en/docs/ops/configuration/traffic-management/dns-proxy/index.md b/content/en/docs/ops/configuration/traffic-management/dns-proxy/index.md index 802311adb0f14..67a000c0be27a 100644 --- a/content/en/docs/ops/configuration/traffic-management/dns-proxy/index.md +++ b/content/en/docs/ops/configuration/traffic-management/dns-proxy/index.md @@ -281,7 +281,6 @@ $ kubectl exec deploy/curl -- curl -sS -v auto.internal * shutting down connection #0 {{< /text >}} - ## Cleanup {{< text bash >}} From 09de1036b4f37dd92e62f2f8e0203d40846faea8 Mon Sep 17 00:00:00 2001 From: Faseela K Date: Wed, 13 Nov 2024 17:49:54 +0100 Subject: [PATCH 5/9] review comments Signed-off-by: Faseela K --- .../traffic-management/dns-proxy/index.md | 48 +++++++++---------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/content/en/docs/ops/configuration/traffic-management/dns-proxy/index.md b/content/en/docs/ops/configuration/traffic-management/dns-proxy/index.md index 67a000c0be27a..a3e0b349a4929 100644 --- a/content/en/docs/ops/configuration/traffic-management/dns-proxy/index.md +++ b/content/en/docs/ops/configuration/traffic-management/dns-proxy/index.md @@ -101,7 +101,7 @@ to [the following section](#external-tcp-services-without-vips) for more details To work around these issues, the DNS proxy additionally supports automatically allocating addresses for `ServiceEntry`s that do not explicitly define one. This is configured by the `ISTIO_META_DNS_AUTO_ALLOCATE` option. {{< tip >}} -Please see [DNS Auto Allocation V2](/docs/ops/configuration/traffic-management/dns-proxy/#dns-auto-allocation-v2) for a new enhanced implementation of auto allocation supported by Istio from 1.21 onwards. +Please see [DNS Auto Allocation V2](/docs/ops/configuration/traffic-management/dns-proxy/#dns-auto-allocation-v2) for a new enhanced implementation of auto allocation supported by Istio from 1.23 onwards. {{< /tip >}} When this feature is enabled, the DNS response will include a distinct and automatically assigned address for each `ServiceEntry`. The proxy is then configured to match requests to this IP address, and forward the request to the corresponding `ServiceEntry`. When using `ISTIO_META_DNS_AUTO_ALLOCATE`, Istio will automatically allocate non-routable VIPs (from the Class E subnet) to such services as long as they do not use a wildcard host. The Istio agent on the sidecar will use the VIPs as responses to the DNS lookup queries from the application. Envoy can now clearly distinguish traffic bound for each external TCP service and forward it to the right target. For more information check respective [Istio blog about smart DNS proxying](/blog/2020/dns-proxy/#automatic-vip-allocation-where-possible). @@ -225,30 +225,30 @@ A virtual IP address will be assigned to every service entry so that client side ## DNS Auto Allocation V2 -Istio now offers an enhanced implementation of DNS Auto Allocation. To use the new feature, replace the feature flag `ISTIO_META_DNS_AUTO_ALLOCATE` which was used in the previous example, with `PILOT_ENABLE_IP_AUTOALLOCATE` while installing Istio. All examples given so far would work as is. +Istio now offers an enhanced implementation of DNS Auto Allocation. To use the new feature, replace the feature flag `ISTIO_META_DNS_AUTO_ALLOCATE`, which was used in the previous example, with `PILOT_ENABLE_IP_AUTOALLOCATE` while installing Istio. All examples given so far would work as is. - {{< text bash >}} - $ cat <}} +{{< text bash >}} +$ cat <}} Users also have the flexibility for more granular configuration by adding the label `networking.istio.io/enable-autoallocate-ip="true/false"` to their `ServiceEntry`. This label configures whether a `ServiceEntry` without any `spec.addresses` set should get an IP address automatically allocated for it. From b9e15869c25404406df867e5b50937a81cec937d Mon Sep 17 00:00:00 2001 From: Faseela K Date: Thu, 14 Nov 2024 12:08:24 +0100 Subject: [PATCH 6/9] review comments Signed-off-by: Faseela K --- .../ops/configuration/traffic-management/dns-proxy/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/docs/ops/configuration/traffic-management/dns-proxy/index.md b/content/en/docs/ops/configuration/traffic-management/dns-proxy/index.md index a3e0b349a4929..39b799552deb5 100644 --- a/content/en/docs/ops/configuration/traffic-management/dns-proxy/index.md +++ b/content/en/docs/ops/configuration/traffic-management/dns-proxy/index.md @@ -101,7 +101,7 @@ to [the following section](#external-tcp-services-without-vips) for more details To work around these issues, the DNS proxy additionally supports automatically allocating addresses for `ServiceEntry`s that do not explicitly define one. This is configured by the `ISTIO_META_DNS_AUTO_ALLOCATE` option. {{< tip >}} -Please see [DNS Auto Allocation V2](/docs/ops/configuration/traffic-management/dns-proxy/#dns-auto-allocation-v2) for a new enhanced implementation of auto allocation supported by Istio from 1.23 onwards. +Please see [DNS Auto Allocation V2](/docs/ops/configuration/traffic-management/dns-proxy/#dns-auto-allocation-v2) for a new enhanced implementation of auto allocation supported by Istio from 1.23 onwards. DNS Auto Allocation V2 is the recommended way forward, and `ISTIO_META_DNS_AUTO_ALLOCATE` is soon to be deprecated in favour of this. {{< /tip >}} When this feature is enabled, the DNS response will include a distinct and automatically assigned address for each `ServiceEntry`. The proxy is then configured to match requests to this IP address, and forward the request to the corresponding `ServiceEntry`. When using `ISTIO_META_DNS_AUTO_ALLOCATE`, Istio will automatically allocate non-routable VIPs (from the Class E subnet) to such services as long as they do not use a wildcard host. The Istio agent on the sidecar will use the VIPs as responses to the DNS lookup queries from the application. Envoy can now clearly distinguish traffic bound for each external TCP service and forward it to the right target. For more information check respective [Istio blog about smart DNS proxying](/blog/2020/dns-proxy/#automatic-vip-allocation-where-possible). @@ -225,7 +225,7 @@ A virtual IP address will be assigned to every service entry so that client side ## DNS Auto Allocation V2 -Istio now offers an enhanced implementation of DNS Auto Allocation. To use the new feature, replace the feature flag `ISTIO_META_DNS_AUTO_ALLOCATE`, which was used in the previous example, with `PILOT_ENABLE_IP_AUTOALLOCATE` while installing Istio. All examples given so far would work as is. +Istio now offers an enhanced implementation of DNS Auto Allocation. To use the new feature, replace the meshConfig flag `ISTIO_META_DNS_AUTO_ALLOCATE`, which was used in the previous example, with the pilot environment variable `PILOT_ENABLE_IP_AUTOALLOCATE` while installing Istio. All examples given so far would work as is. {{< text bash >}} $ cat < Date: Thu, 14 Nov 2024 13:18:06 +0100 Subject: [PATCH 7/9] fix lint Signed-off-by: Faseela K --- .../ops/configuration/traffic-management/dns-proxy/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/docs/ops/configuration/traffic-management/dns-proxy/index.md b/content/en/docs/ops/configuration/traffic-management/dns-proxy/index.md index 39b799552deb5..7e007f0ca1e50 100644 --- a/content/en/docs/ops/configuration/traffic-management/dns-proxy/index.md +++ b/content/en/docs/ops/configuration/traffic-management/dns-proxy/index.md @@ -101,7 +101,7 @@ to [the following section](#external-tcp-services-without-vips) for more details To work around these issues, the DNS proxy additionally supports automatically allocating addresses for `ServiceEntry`s that do not explicitly define one. This is configured by the `ISTIO_META_DNS_AUTO_ALLOCATE` option. {{< tip >}} -Please see [DNS Auto Allocation V2](/docs/ops/configuration/traffic-management/dns-proxy/#dns-auto-allocation-v2) for a new enhanced implementation of auto allocation supported by Istio from 1.23 onwards. DNS Auto Allocation V2 is the recommended way forward, and `ISTIO_META_DNS_AUTO_ALLOCATE` is soon to be deprecated in favour of this. +Please see [DNS Auto Allocation V2](/docs/ops/configuration/traffic-management/dns-proxy/#dns-auto-allocation-v2) for a new enhanced implementation of auto allocation supported by Istio from 1.23 onwards. DNS Auto Allocation V2 is the recommended way forward, and `ISTIO_META_DNS_AUTO_ALLOCATE` is soon to be deprecated in favor of this. {{< /tip >}} When this feature is enabled, the DNS response will include a distinct and automatically assigned address for each `ServiceEntry`. The proxy is then configured to match requests to this IP address, and forward the request to the corresponding `ServiceEntry`. When using `ISTIO_META_DNS_AUTO_ALLOCATE`, Istio will automatically allocate non-routable VIPs (from the Class E subnet) to such services as long as they do not use a wildcard host. The Istio agent on the sidecar will use the VIPs as responses to the DNS lookup queries from the application. Envoy can now clearly distinguish traffic bound for each external TCP service and forward it to the right target. For more information check respective [Istio blog about smart DNS proxying](/blog/2020/dns-proxy/#automatic-vip-allocation-where-possible). @@ -225,7 +225,7 @@ A virtual IP address will be assigned to every service entry so that client side ## DNS Auto Allocation V2 -Istio now offers an enhanced implementation of DNS Auto Allocation. To use the new feature, replace the meshConfig flag `ISTIO_META_DNS_AUTO_ALLOCATE`, which was used in the previous example, with the pilot environment variable `PILOT_ENABLE_IP_AUTOALLOCATE` while installing Istio. All examples given so far would work as is. +Istio now offers an enhanced implementation of DNS Auto Allocation. To use the new feature, replace the `MeshConfig` flag `ISTIO_META_DNS_AUTO_ALLOCATE`, which was used in the previous example, with the pilot environment variable `PILOT_ENABLE_IP_AUTOALLOCATE` while installing Istio. All examples given so far would work as is. {{< text bash >}} $ cat < Date: Thu, 14 Nov 2024 21:37:30 +0100 Subject: [PATCH 8/9] Update index.md --- .../ops/configuration/traffic-management/dns-proxy/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/ops/configuration/traffic-management/dns-proxy/index.md b/content/en/docs/ops/configuration/traffic-management/dns-proxy/index.md index 7e007f0ca1e50..75cee455394b5 100644 --- a/content/en/docs/ops/configuration/traffic-management/dns-proxy/index.md +++ b/content/en/docs/ops/configuration/traffic-management/dns-proxy/index.md @@ -101,7 +101,7 @@ to [the following section](#external-tcp-services-without-vips) for more details To work around these issues, the DNS proxy additionally supports automatically allocating addresses for `ServiceEntry`s that do not explicitly define one. This is configured by the `ISTIO_META_DNS_AUTO_ALLOCATE` option. {{< tip >}} -Please see [DNS Auto Allocation V2](/docs/ops/configuration/traffic-management/dns-proxy/#dns-auto-allocation-v2) for a new enhanced implementation of auto allocation supported by Istio from 1.23 onwards. DNS Auto Allocation V2 is the recommended way forward, and `ISTIO_META_DNS_AUTO_ALLOCATE` is soon to be deprecated in favor of this. +Please see [DNS Auto Allocation V2](/docs/ops/configuration/traffic-management/dns-proxy/#dns-auto-allocation-v2) for a new enhanced implementation of auto allocation supported by Istio from 1.23 onwards. DNS Auto Allocation V2 is the recommended for sidecar mode and required for ambient mode. {{< /tip >}} When this feature is enabled, the DNS response will include a distinct and automatically assigned address for each `ServiceEntry`. The proxy is then configured to match requests to this IP address, and forward the request to the corresponding `ServiceEntry`. When using `ISTIO_META_DNS_AUTO_ALLOCATE`, Istio will automatically allocate non-routable VIPs (from the Class E subnet) to such services as long as they do not use a wildcard host. The Istio agent on the sidecar will use the VIPs as responses to the DNS lookup queries from the application. Envoy can now clearly distinguish traffic bound for each external TCP service and forward it to the right target. For more information check respective [Istio blog about smart DNS proxying](/blog/2020/dns-proxy/#automatic-vip-allocation-where-possible). From d70168060c6ec4953976eff88ac43f7accbf6586 Mon Sep 17 00:00:00 2001 From: Faseela K Date: Thu, 14 Nov 2024 21:38:06 +0100 Subject: [PATCH 9/9] Update index.md --- .../ops/configuration/traffic-management/dns-proxy/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/ops/configuration/traffic-management/dns-proxy/index.md b/content/en/docs/ops/configuration/traffic-management/dns-proxy/index.md index 75cee455394b5..90309220190f5 100644 --- a/content/en/docs/ops/configuration/traffic-management/dns-proxy/index.md +++ b/content/en/docs/ops/configuration/traffic-management/dns-proxy/index.md @@ -101,7 +101,7 @@ to [the following section](#external-tcp-services-without-vips) for more details To work around these issues, the DNS proxy additionally supports automatically allocating addresses for `ServiceEntry`s that do not explicitly define one. This is configured by the `ISTIO_META_DNS_AUTO_ALLOCATE` option. {{< tip >}} -Please see [DNS Auto Allocation V2](/docs/ops/configuration/traffic-management/dns-proxy/#dns-auto-allocation-v2) for a new enhanced implementation of auto allocation supported by Istio from 1.23 onwards. DNS Auto Allocation V2 is the recommended for sidecar mode and required for ambient mode. +Please see [DNS Auto Allocation V2](/docs/ops/configuration/traffic-management/dns-proxy/#dns-auto-allocation-v2) for a new enhanced implementation of auto allocation supported by Istio from 1.23 onwards. DNS Auto Allocation V2 is recommended for sidecar mode and required for ambient mode. {{< /tip >}} When this feature is enabled, the DNS response will include a distinct and automatically assigned address for each `ServiceEntry`. The proxy is then configured to match requests to this IP address, and forward the request to the corresponding `ServiceEntry`. When using `ISTIO_META_DNS_AUTO_ALLOCATE`, Istio will automatically allocate non-routable VIPs (from the Class E subnet) to such services as long as they do not use a wildcard host. The Istio agent on the sidecar will use the VIPs as responses to the DNS lookup queries from the application. Envoy can now clearly distinguish traffic bound for each external TCP service and forward it to the right target. For more information check respective [Istio blog about smart DNS proxying](/blog/2020/dns-proxy/#automatic-vip-allocation-where-possible).