File Based Istio
This tool connects to Pilot, then dumps the XDS responses to files that can be read directly from Envoy.
The config will be slightly modified to change all config sources to point to the relevant files rather than Pilot. The bootstrap is also custom (and static). Aside from this, the config will be the same as from Pilot.
Install
go get github.com/howardjohn/file-based-istio
Usage
- The
-o
flag should be provided for the output directory, otherwise everything is output to stdout. - The
-i
flag can be provided to call Pilot as the pod. This is needed to get inbound listener, and maybe some other configs. - The
-n
flag can be provided to change the namespace to use for the pod - The
-p
flag can be provided to change the Pilot address to use. By default this islocalhost:15010
.
Example: file-based-istio -o install/files -i 10.28.0.166 -p localhost:15010
This generates all of the config needed into the install folder, which can be installed with:
helm template install | kubectl apply -f -
replace --force
may be needed instead of apply
as a hack to not write the config as an annotation, as large EDS responses can exceed the size limit on annotations.
To replicate a running pod:
function replicate() {
p="$(kubectl get pod -ojson $1 | jq -c)"
labels="$(<<<$p jq '[.metadata.labels | to_entries[] | .key + "=" + .value] | join(",")' -r)"
env="$(<<<$p jq '[.spec.containers[].env[]? | select(.value != null) | .name + "=" + (.value | gsub("[\\n\\t]"; ""))] | join(",")' -r)"
ip="$(<<<$p jq '.status.podIP' -r)"
ns="$(<<<$p jq '.metadata.namespace' -r)"
sa="$(<<<$p jq '.spec.serviceAccountName' -r)"
token=$(kubectl create token -n $ns $sa --audience=istio-ca)
echo "-l ${labels} -i ${ip} -n ${ns} -e ${env} -t ${token}"
}
file-based-istio `replicate shell-dc477d7c-tzk8s`
TODO
Client that sets SO_ORIGINAL_DST
directly to avoid iptables. Like this.