Create the Network Loadbalance and specific the annotations
1name: "istio-ingressgateway"
2 service:
3 # type: ClusterIP
4 annotations:
5 service.beta.kubernetes.io/aws-load-balancer-name: "istio-ingress-gateway"
6 service.beta.kubernetes.io/aws-load-balancer-ssl-cert: >-
7 arn:aws:acm:us-east-1:xxxxxxxxxx:certificate/xxxxxxxxx
8 service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
9 # service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: ELBSecurityPolicy-TLS-1-2-2017-01
10 service.beta.kubernetes.io/aws-load-balancer-type: "external"
11 service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
12 service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
13 service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
14 service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "3600"
15 service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
16 service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: "preserve_client_ip.enabled=true"
17 service.beta.kubernetes.io/aws-load-balancer-attributes: "deletion_protection.enabled=true, load_balancing.cross_zone.enabled=true"
18 ports:
19 - name: http2
20 port: 80
21 protocol: TCP
22 targetPort: 80
23 - name: https
24 port: 443
25 protocol: TCP
26 targetPort: 443
27 - name: tcp-kafka
28 port: 9095
29 protocol: TCP
30 targetPort: 9095
31 imagePullPolicy: "IfNotPresent"
Create the EnvoyFilter
to support x-forward-for
header and propagation
1apiVersion: networking.istio.io/v1alpha3
2kind: EnvoyFilter
3metadata:
4 name: enable-forwared-for
5 namespace: istio-system
6spec:
7 configPatches:
8 - applyTo: NETWORK_FILTER
9 match:
10 listener:
11 filterChain:
12 filter:
13 name: envoy.filters.network.http_connection_manager
14 patch:
15 operation: MERGE
16 value:
17 name: envoy.http_connection_manager
18 typed_config:
19 "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
20 skip_xff_append: false
21 use_remote_address: true
22 xff_num_trusted_hops: 1
Create the EnvoyFilter
to enable the proxy protocol support
1apiVersion: networking.istio.io/v1alpha3
2kind: EnvoyFilter
3metadata:
4 name: internal-ingressgateway-proxy-protocol
5 namespace: istio-system
6spec:
7 workloadSelector:
8 labels:
9 app: istio-ingressgateway
10 configPatches:
11 - applyTo: LISTENER
12 patch:
13 operation: MERGE
14 value:
15 listener_filters:
16 - name: envoy.filters.listener.proxy_protocol
17 - name: envoy.filters.listener.tls_inspector