File Based Istio
This tool connects to Pilot, then dumps the XDS responses to files that can be read directly from Envoy.
The config will be slightly modified to change all config sources to point to the relevant files rather than Pilot. The bootstrap is also custom (and static). Aside from this, the config will be the same as from Pilot.
Install
go get github.com/howardjohn/file-based-istio
Usage
- The
-oflag should be provided for the output directory, otherwise everything is output to stdout. - The
-iflag can be provided to call Pilot as the pod. This is needed to get inbound listener, and maybe some other configs. - The
-nflag can be provided to change the namespace to use for the pod - The
-pflag can be provided to change the Pilot address to use. By default this islocalhost:15010.
Example: file-based-istio -o install/files -i 10.28.0.166 -p localhost:15010
This generates all of the config needed into the install folder, which can be installed with:
helm template install | kubectl apply -f -
replace --force may be needed instead of apply as a hack to not write the config as an annotation, as large EDS responses can exceed the size limit on annotations.
To replicate a running pod:
function replicate() {
p="$(kubectl get pod -ojson $1 | jq -c)"
labels="$(<<<$p jq '[.metadata.labels | to_entries[] | .key + "=" + .value] | join(",")' -r)"
env="$(<<<$p jq '[.spec.containers[].env[]? | select(.value != null) | .name + "=" + (.value | gsub("[\\n\\t]"; ""))] | join(",")' -r)"
ip="$(<<<$p jq '.status.podIP' -r)"
ns="$(<<<$p jq '.metadata.namespace' -r)"
sa="$(<<<$p jq '.spec.serviceAccountName' -r)"
token=$(kubectl create token -n $ns $sa --audience=istio-ca)
echo "-l ${labels} -i ${ip} -n ${ns} -e ${env} -t ${token}"
}
file-based-istio `replicate shell-dc477d7c-tzk8s`TODO
Client that sets SO_ORIGINAL_DST directly to avoid iptables. Like this.