Support using an existing Ingress as upstream

[rlguarino]

trafficstars

When using this project with Istio mTLS the ideal situation would be to send traffic through the Istio Ingress instead of directly to an Endpoint. Ingress resources don't support this mapping so it might make more sense to add a new CRD that maps a warp tunnel to any hostname.

[rlguarino]

The Ideal situation one could use an existing Istio cluster and without changing any existing configuration be able to serve traffic over warp tunnels.

[baldwinSPC]

Some reference links:

https://docs.google.com/document/d/1mGpUsRgmA9wPB73trfTiB9YUuwYh-31iulYg9USxe0Y/edit https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!msg/istio-security/zhLfuYuPcZE/8xUHYO3oCAAJ

[jbergstroem]

The Ideal situation one could use an existing Istio cluster and without changing any existing configuration be able to serve traffic over warp tunnels.

wouldn't that require a fair amount of patches to envoy?

[mattalberts]

Not really, infact this issue/comment was created when Ross's cluster was using Istio with an auto-injected sidecar for mTLS, invalidating any other ingress-controller in the cluster (in that they do not / won't have the shared secret used for mTLS). His idea was to modify the controller to route traffic to other hosts (exposed by other ingress controllers), so argo -> istio -> origin, assuming the CNI keeps the traffic within the cluster, its not super bad. It would also have to watch for cycles to itself (e.g. not be able to route to a host name it exposes).

Al of that said, it further complicates the request flow. In an istio environment, it makes more sense to simply run cloudflared as a side car (hole punch out, and avoid the issue all together).