Description
Feature Request
In order to support end-to-end encryption between nodes, we first need to be able to resolve .maesh URLs into a local proxy. We first aimed at using ServiceTopology to solve this issue, but as this feature is still in alpha stage it could be removed in the next version without further notice. After studying different alternatives we found that the less invasive, opt-in, low-privileged and easy to use solution would be to use a "local" dns server.
Proposal
Write a MutatingAdmissionWebhook to inject a DNS proxy and set the dnsConfig and dnsPolicy attributes. This DNS proxy will rewrite ".maesh" urls into node-aware shadow service urls.
For example: svc.ns.maesh -> maesh-svc-6d61657368-ns-6d61657368-node1.svc.cluster.local
The maesh-svc-6d61657368-ns-6d61657368-node1 shadow service will lead to a proxy deployed on node1.