mesh icon indicating copy to clipboard operation
mesh copied to clipboard

Published 20 hours ago verified publisher icon traefik

Local proxy resolution

Open jspdown opened this issue 5 years ago • 0 comments

Feature Request

In order to support end-to-end encryption between nodes, we first need to be able to resolve .maesh URLs into a local proxy. We first aimed at using ServiceTopology to solve this issue, but as this feature is still in alpha stage it could be removed in the next version without further notice. After studying different alternatives we found that the less invasive, opt-in, low-privileged and easy to use solution would be to use a "local" dns server.

Proposal

Write a MutatingAdmissionWebhook to inject a DNS proxy and set the dnsConfig and dnsPolicy attributes. This DNS proxy will rewrite ".maesh" urls into node-aware shadow service urls. For example: svc.ns.maesh -> maesh-svc-6d61657368-ns-6d61657368-node1.svc.cluster.local

The maesh-svc-6d61657368-ns-6d61657368-node1 shadow service will lead to a proxy deployed on node1.

jspdown avatar Sep 07 '20 15:09 jspdown