istio

1
apiVersion: release-notes/v2
2
kind: bug-fix
3
area: traffic-management
4
issues:
5
  - 37331
6
releaseNotes:
7
  - |
8
    **Improved** support for `ExternalName` services. See Upgrade Notes for more information
9
upgradeNotes:
10
  - title: "Upcoming `ExternalName` support changes"
11
    content: |
12
      Below describes *upcoming* changes to `ExternalName`.
13
      In this release, there is no behavioral changes by default.
14
      However, you can explicitly opt-in to the new behavior early if desired, and prepare your environments for the upcoming change.
15
      
16
      Kubernetes `ExternalName` `Service`s allow users to create new DNS entries. For example, you can create an `example` service
17
      that points to `example.com`. This is implemented by a DNS `CNAME` redirect.
18
      
19
      In Istio, the implementation of `ExternalName`, historically, was substantially different. Each `ExternalName` represented its own
20
      service, and traffic matching the service was sent to the configured DNS name.
21
      
22
      This caused a few issues:
23
      * Ports are required in Istio, but not in Kubernetes. This can result in broken traffic if ports are not configured as Istio expects, despite them working without Istio.
24
      * Ports not declared as `HTTP` would match *all* traffic on that port, making it easy to accidentally send all traffic on a port to the wrong place.
25
      * Because the destination DNS name is treated as opaque, we cannot apply Istio policies to it as expected. For example, if I point
26
        an external name at another in-cluster Service (for example, `example.default.svc.cluster.local`), mTLS would not be used.
27
      
28
      `ExternalName` support has been revamped to fix these problems. `ExternalName`s are now simply treated as aliases.
29
      Wherever we would match `Host: <concrete service>` we additionally will match `Host: <external name service>`.
30
      Note that the primary implementation of `ExternalName` -- DNS -- is handled outside of Istio in the Kubernetes DNS implementation, and remains unchanged.
31
      
32
      If you are using `ExternalName` with Istio, please be advised of the following behavioral changes:
33
      * The `ports` field is no longer needed, matching Kubernetes behavior. If it is set, it will have no impact.
34
      * `VirtualServices` that match on an `ExternalName` service will generally no longer match. Instead, the match should be rewritten to the referenced service.
35
      * `DestinationRule` can no longer apply to `ExternalName` services. Instead, create rules where the `host` references service.
36
      
37
      These changes are off-by-default in this release, but will be on-by-default in the near future.
38
      To opt-in early, the `ENABLE_EXTERNAL_NAME_ALIAS=true` environment variable can be set.
39