I'm looking to use Istio Ingress in a cluster that I'm experimenting with, however one outstanding item that I'm not sure how to solve (or if it's solvable today) in Istio is the ability to delegate the ownership of a subdomain to a given namespace, that way there are no concerns that two competing projects/namespaces can claim ownership of bar.foo.com.
The best example of what I'm trying to accomplish that I could find is Heptio Contour where that allows you to define a root IngressRoute that delegates responsibility for a subdomain to a specific namespace.
https://github.com/heptio/contour/blob/master/docs/ingressroute.md#across-namespaces
Is this possible with Istio? I haven't found anything in the documentation about this sort of set up yet.
Despite the fact that Istio and Heptio Contour are powered by Envoy proxy, they represent a bit different approach and the way how to perform specific traffic management tasks. Unlike Heptio Contour, Istio has been designed with strongly defined set of internal Istio resources that are composed within particular CRDs which are not based on the native Kubernetes Ingress API.
According to the official Istio documentation, Ingress resource is represented within Istio Gateway configuration. Due to this fact, Istio manages traffic routing through VirtualService resource and declares routing rules within the same namespace with no exceptions to delegate path route to the underlying objects residing on separate namespace.
Therefore, conceptually Istio has been designed as an Edge Gateway, however it represents more complex way in terms of Authentication and Authorization aspects comparing to Heptio Contour.