Intro I’ve been doing a lot with terraform lately, and I’ve been looking for ways to make my terraform configurations a lot simpler and have less repetition. Like a lot of people, I’ve found myself repeating the same code over and over. An example is where I repeat the same resource over and over but with different configuration parameters. It’s essentially the same resource. Why should I do this? There has to be a better way.

I got a question on how we can restrict access to certain external endpoints on a per namespace basis. There was an idea to use Istio’s egress gateway to control access to external endpoints, though I’m not convinced that’s a valid use case for an egress gateway today. So I went off to do some investigation, and found some options: Specifying which namespaces can access certain hosts defined in the ServiceEntry Specifying which endpoints can be accessed from a namespace But before that, a bit of back story of how we got here…

In this post, we will be testing Istio’s ServiceEntry by accessing a PostgreDB database hosted externally from the Kubernetes cluster. Setup “External” PostgresDB service Since we are running the Kubernetes cluster locally in Docker containers using k3d, we can create an “external” service by running a PostgresDB Docker container on the same host and expose its ports to localhost. Create a local PostgresDB container database using Docker docker run --name postgres --restart always -e POSTGRES_PASSWORD=password -d -p 5432:5432 postgres Create a test database app_db

Intro I recently discovered NGINX Unit - now there’s a disclaimer here as well - I work for the company that produces this software. I do think that it’s a very very cool piece of open source software, so it generally suits my ethos: Open Source Super cool software Extensible Makes my life as a developer easier It pretty much ticks all the boxes. What is it? This one is a little harder to answer.

In the previous post, we deployed the Bookinfo application on a k3s cluster with Istio enabled. In this post, we will explore the features on Istio Ingress. Kubernetes Ingress Istio should handle Kubernetes Ingress resource just fine as documented here. Here we create a Kubernetes Ingress to access the Bookinfo application. Note the additional annotation kubernetes.io/ingress.class: istio: kubectl -n bookinfo apply -f - <<EOF apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: kubernetes.