I need to preserve source IPs until they reach my destination containers (X-Forwarded-For headers); on web, the solutions/suggestions are leading me to that it's to change externalTrafficPolicy to 'Local' on LB service definition; yet, using kubectl edit or patch didn't work (Azure platform keeps reverting the changes i've just made to their defaults). I use AKS managed Istio.
apiVersion: v1
kind: Service
metadata:
annotations:
meta.helm.sh/release-name: asm-igx-aks-istio-ingressgateway-external
meta.helm.sh/release-namespace: aks-istio-ingress
creationTimestamp: "0.0.0.0"
finalizers:
- service.kubernetes.io/load-balancer-cleanup
labels:
app: aks-istio-ingressgateway-external
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: aks-istio-ingressgateway-external
app.kubernetes.io/version: 1.0.0
helm.sh/chart: azure-service-mesh-istio-ingress-gateway-addon-1.0.0-0.0.0.0
helm.toolkit.fluxcd.io/name: asm-ingress-aks-istio-ingressgateway-external
helm.toolkit.fluxcd.io/namespace: 0.0.0.0
istio: aks-istio-ingressgateway-external
name: aks-istio-ingressgateway-external
namespace: aks-istio-ingress
resourceVersion: "0.0.0.0"
uid: 0.0.0.0
spec:
allocateLoadBalancerNodePorts: true
clusterIP: 0.0.0.0
clusterIPs:
- 0.0.0.0
externalTrafficPolicy: Cluster
internalTrafficPolicy: Cluster
ipFamilies:
- IPv4
ipFamilyPolicy: 0.0.0.0
ports:
- name: status-port
nodePort: 0.0.0.0
port: 0.0.0.0
protocol: TCP
targetPort: 0.0.0.0
- name: http2
nodePort: 0.0.0.0
port: 0.0.0.0
protocol: TCP
targetPort: 0.0.0.0
- name: https
nodePort: 0.0.0.0
port: 0.0.0.0
protocol: TCP
targetPort: 0.0.0.0
selector:
app: aks-istio-ingressgateway-external
istio: aks-istio-ingressgateway-external
sessionAffinity: None
type: LoadBalancer
status:
loadBalancer:
ingress:
- ip: 0.0.0.0
Tried to use kubectl commands, but no luck Unable to find the corresponding helm charts that automatically deployed and managed aks istio ingress and other resources like LB
Given the details of your setup and the need to modify the
externalTrafficPolicyof the Istio Ingress Gateway toLocal, here's how to proceed based on the Helm deployment of your Istio components, specifically targeting theistio-ingressrelease in theistio-ingressnamespace.If the
istio-ingressHelm release is using default values, you'll need to create a custom values file to override theexternalTrafficPolicyfor the Istio Ingress Gateway service.Create a new YAML file named
custom-values.yaml.Add the following content to
custom-values.yaml, assuming thegatewayHelm chart structure allows for specifying service properties:Apply the Changes with Helm
Upgrade your Helm release with the custom values to modify the
externalTrafficPolicy. Run the following command in your terminal:Replace
<chart-location>with the chart reference used during the initial installation.externalTrafficPolicyis now set toLocalby running:Example: My istio setup
In my case, the
istio-ingressHelm release is using default values, therefore I will create a custom values file to override theexternalTrafficPolicyfor the Istio Ingress Gateway service as below-Now, how to know where exactly to modify? For that, do a
helm show values istio/gatewayhere, based on the output of
helm show values istio/gateway, to modify theexternalTrafficPolicyfor the Istio Ingress Gateway toLocal, you should focus on theservicesection of the values. It's clear from the values output thatexternalTrafficPolicyis directly configurable under theservicesection. that's why I have modified my custom-values.yaml accordingly.With your
custom-values.yamlfile now correctly structured, apply the changesNow verify-