Allow incoming traffic to the Istio ingress gateway on service subnet. (

#4)
rancher-plugins · Dec 3, 2019 · 462dcaa · 462dcaa
1 parent 6f599b0
commit 462dcaa
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/oke/oke_manager_client.go b/oke/oke_manager_client.go
@@ -1358,6 +1358,11 @@ func (mgr *ClusterManagerClient) CreateVCNAndNetworkResources(state *State) (str
 		Max: common.Int(443),
 		Min: common.Int(443),
 	}
+	// Allow incoming traffic to the Istio ingress gateway port
+	istioGatewayPort := core.PortRange{
+		Max: common.Int(15443),
+		Min: common.Int(15443),
+	}
 	svcSecList := core.CreateSecurityListRequest{
 		CreateSecurityListDetails: core.CreateSecurityListDetails{
 			CompartmentId:        &state.CompartmentID,
@@ -1380,6 +1385,13 @@ func (mgr *ClusterManagerClient) CreateVCNAndNetworkResources(state *State) (str
 			DestinationPortRange: &httpsPortRange,
 		},
 	})
+	svcSecList.IngressSecurityRules = append(svcSecList.IngressSecurityRules, core.IngressSecurityRule{
+		Protocol: common.String("6"), // TCP
+		Source:   common.String("0.0.0.0/0"),
+		TcpOptions: &core.TcpOptions{
+			DestinationPortRange: &istioGatewayPort,
+		},
+	})
 
 	svcSecListResp, err := mgr.virtualNetworkClient.CreateSecurityList(ctx, svcSecList)
 	helpers.FatalIfError(err)