Configure Istio for OneAgent traffic in Kubernetes

Istio is a service mesh that helps running distributed microservice architectures. Istio uses the sidecar pattern to deploy a proxy to pods which then intercept network traffic between your microservices. Egress traffic of Istio-enabled pods is redirected to the sidecar proxy within each pod, and accessibility of endpoints outside of the cluster depends on the configuration of the proxy. This includes the communication of DESK OneAgent code modules. If the OneAgent code-modules' communication to the DESK environment is blocked, the DESK communication endpoints need to be explicitly added to the mesh or the proxy needs to be configured to pass through all requests.

Note:
OneAgent Operator version 0.4+ automatically manages Istio service entries and virtual services for your DESK environment when enableIstio is set to true in the custom resource. The DESK OneAgent code modules can then send monitoring information to your DESK environment.

This topic describes how to manually configure Istio for enabling egress traffic to your DESK environment if you aren't using OneAgent Operator version 0.4 or higher.

Prepare DESK tokens

Get a Platform-as-a-Service token to query the list of communication endpoints for the OneAgent. This token is later referenced as {token}.

Configure a ServiceEntry object

Get the list of available communication endpoints for your environment.

For this you need to make a GET call to the REST endpoint of your DESK environment. Don't forget to adapt the respective placeholders {environmentID} and {token}.

Managed SaaS

https://{your-domain}/e/{environmentID}/api/v1/deployment/installer/agent/connectioninfo?Api-Token={token}

https://{environmentID}.live.desk.com/api/v1/deployment/installer/agent/connectioninfo?Api-Token={token}

In return, you get a JSON object that covers the communicationEndpoints. The list of endpoints may look like this.

{
   ...
   "communicationEndpoints": [
      "https://gateway1.internal:9999/communication",
      "https://10.0.0.1:9999/communication",
      "https://gateway2.live.ruxit.com/communication",
      "https://gateway3.live.ruxit.com/communication"
   ]
}

Save the following snippet with the service entries to a file istio-oneagent-serviceentries.yaml and adapt the content to suit your communication endpoints from your JSON response above. The snippet below covers multiple ServiceEntry and VirtualService definitions.

Endpoints with a hostname that run on the same port (e.g. 9999 or 443) can be grouped in an HTTPS ServiceEntry and VirtualService combination.
Each endpoint with an IP address should be handled in its own TCP ServiceEntry.

Snippet with OneAgent service entries

Download

---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: desk-oneagent-hostnames-9999
spec:
  hosts:
  - gateway1.internal
  location: MESH_EXTERNAL
  ports:
  - number: 9999
    name: https-9999
    protocol: HTTPS
  resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: desk-oneagent-hostnames-9999
spec:
  hosts:
  - gateway1.internal
  tls:
  - match:
    - port: 9999
      sni_hosts:
      - gateway1.internal
    route:
    - destination:
        host: gateway1.internal
        port:
          number: 9999
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: desk-oneagent-hostnames
spec:
  hosts:
  - gateway2.live.ruxit.com
  - gateway3.live.ruxit.com
  location: MESH_EXTERNAL
  ports:
  - number: 443
    name: https-443
    protocol: HTTPS
  resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: desk-oneagent-hostnames
spec:
  hosts:
  - gateway2.live.ruxit.com
  - gateway3.live.ruxit.com
  tls:
  - match:
    - port: 443
      sni_hosts:
      - gateway2.live.ruxit.com
    route:
    - destination:
        host: gateway2.live.ruxit.com
        port:
          number: 443
  - match:
    - port: 443
      sni_hosts:
      - gateway3.live.ruxit.com
    route:
    - destination:
        host: gateway3.live.ruxit.com
        port:
          number: 443
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: desk-oneagent-ips
spec:
  hosts:
  - ignored.subdomain #ignored 
  addresses:
  - 10.0.0.1/32
  location: MESH_EXTERNAL
  ports:
    - number: 9999  
      protocol: TCP
      name: tcp-9999
  resolution: NONE

Create the ServiceEntry and VirtualService objects

Create the ServiceEntry and VirtualService configuration from the saved file. We recommend to create the ServiceEntry and VirtualService resources in a desk namespace.

$ kubectl -n desk create -f istio-oneagent-serviceentries.yaml

Remove the ServiceEntry and VirtualService objects

In case you uninstalled the OneAgent you'll also need to remove the ServiceEntry configurations.

$ kubectl -n desk delete -f istio-oneagent-serviceentries.yaml