update

dmz/istio-system/templates/annotate.yaml

@@ -1,13 +1,14 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  annotations:
-    topology.istio.io/controlPlaneClusters: cluster1
-  labels:
-    kubernetes.io/metadata.name: istio-system
-  name: istio-system
-spec:
-  finalizers:
-  - kubernetes
-status:
-  phase: Active
+#apiVersion: v1
+#kind: Namespace
+#metadata:
+#  annotations:
+#    topology.istio.io/controlPlaneClusters: cluster1
+#  labels:
+#    kubernetes.io/metadata.name: istio-system
+#  name: istio-system
+#spec:
+#  finalizers:
+#  - kubernetes
+#status:
+#  phase: Active
+#

dmz/istio-system/templates/expose.yaml

@@ -0,0 +1,16 @@
+apiVersion: networking.istio.io/v1
+kind: Gateway
+metadata:
+  name: cross-network-gateway
+spec:
+  selector:
+    istio: eastwestgateway
+  servers:
+    - port:
+        number: 15443
+        name: tls
+        protocol: TLS
+      tls:
+        mode: AUTO_PASSTHROUGH
+      hosts:
+        - "*.local"

dmz/istio-system/values.yaml

@@ -428,7 +428,7 @@ istiod:
     # If the mesh admin does not specify a value, Istio will use the value of the
     # mesh's Trust Domain. The best practice is to select a proper Trust Domain
     # value.
-    meshID: ""
+    meshID: "mesh1"
 
     # Configure the mesh networks to be used by the Split Horizon EDS.
     #
@@ -474,7 +474,7 @@ istiod:
 
     # Network defines the network this cluster belong to. This name
     # corresponds to the networks in the map of mesh networks.
-    network: ""
+    network: "network2"
 
     # Configure the certificate provider for control plane communication.
     # Currently, two providers are supported: "kubernetes" and "istiod".

infra/istio-system/templates/expose.yaml

@@ -1,53 +1,70 @@
+#apiVersion: networking.istio.io/v1
+#kind: Gateway
+#metadata:
+#  name: istiod-gateway
+#spec:
+#  selector:
+#    istio: eastwestgateway
+#  servers:
+#    - port:
+#        name: tls-istiod
+#        number: 15012
+#        protocol: tls
+#      tls:
+#        mode: PASSTHROUGH
+#      hosts:
+#        - "*"
+#    - port:
+#        name: tls-istiodwebhook
+#        number: 15017
+#        protocol: tls
+#      tls:
+#        mode: PASSTHROUGH
+#      hosts:
+#        - "*"
+#---
+#apiVersion: networking.istio.io/v1
+#kind: VirtualService
+#metadata:
+#  name: istiod-vs
+#spec:
+#  hosts:
+#  - "*"
+#  gateways:
+#  - istiod-gateway
+#  tls:
+#  - match:
+#    - port: 15012
+#      sniHosts:
+#      - "*"
+#    route:
+#    - destination:
+#        host: istiod.istio-system.svc.cluster.local
+#        port:
+#          number: 15012
+#  - match:
+#    - port: 15017
+#      sniHosts:
+#      - "*"
+#    route:
+#    - destination:
+#        host: istiod.istio-system.svc.cluster.local
+#        port:
+#          number: 443
+---
 apiVersion: networking.istio.io/v1
 kind: Gateway
 metadata:
-  name: istiod-gateway
+  name: cross-network-gateway
 spec:
   selector:
     istio: eastwestgateway
   servers:
     - port:
-        name: tls-istiod
-        number: 15012
-        protocol: tls
+        number: 15443
+        name: tls
+        protocol: TLS
       tls:
-        mode: PASSTHROUGH        
+        mode: AUTO_PASSTHROUGH
       hosts:
-        - "*"
-    - port:
-        name: tls-istiodwebhook
-        number: 15017
-        protocol: tls
-      tls:
-        mode: PASSTHROUGH          
-      hosts:
-        - "*"
----
-apiVersion: networking.istio.io/v1
-kind: VirtualService
-metadata:
-  name: istiod-vs
-spec:
-  hosts:
-  - "*"
-  gateways:
-  - istiod-gateway
-  tls:
-  - match:
-    - port: 15012
-      sniHosts:
-      - "*"
-    route:
-    - destination:
-        host: istiod.istio-system.svc.cluster.local
-        port:
-          number: 15012
-  - match:
-    - port: 15017
-      sniHosts:
-      - "*"
-    route:
-    - destination:
-        host: istiod.istio-system.svc.cluster.local
-        port:
-          number: 443
+        - "*.local"