You are browsing a read-only backup copy of Wikitech. The live site can be found at


From Wikitech-static
< User:JMeybohm
Revision as of 15:55, 3 September 2021 by imported>JMeybohm
Jump to navigation Jump to search

SIG-Networks new standard for ingress etc. (still v1alpha unfortunately):

Ingress stuff from Istio (k8s only and backed by istio CRD's):

Istio 1.8 latest version supported with k8s 1.16

Istio 1.11 tested with k8s 1.16 but not supported

ml currently uses istio 1.9 which is tested but not supported on k8s 1.16

IstioOperator Options:

istioctl builtin helm charts:

TLS Stuff / cert-manager

There is a cert-manager issuer for cfssl: (does not look very maintained/active)

But it might be easier (and less dependencies) to generate a new intermediate and use that with the ca-issuer that's build in to cert-manager

Could we have namespaces create "kind: Certificate" objects, let cert-manager create the corresponding "kind: Secret" (in the same namespace) and sync (with something like secrets to the istio-system namespace (for ingressgateway to be able to pick them up)?

Kubernetes Ingress

By using only the kubernetes ingress resource it is possible to create a fan out ingress and route "*" to a service in namespace "a" while routing "*" to a service in namespace "b". This is done by simply creating a Ingress for "" with a corresponding path matcher.

When the same host and path is specified in two ingress resources, the first one (created) wins.

This means it is not possible to break existing ingress objects while it is possible to "hijack" subpaths of a domain by creating another ingress (if the first one uses subpath matching rather than "/*" ofc.). If a subpath ingress is created first (e.g. "path: /one/*" ad afterwards created match all ingress ("path: /*") is not able to take over "/one/*". But this is pretty dangerous as de-deploying might lead to a different creation order and yield a different result