Hi Community Professor,
Would you please help advice on the domain names issues?
Question:
Incase domain names are same for ingress gateway and external Service, ISTIO ingress gateway + ServiceEntry to proxy request from external client to external backend service can works well. E.g. the Hosts value are same (e.g. data.sample.com) in all configuration file, include gateway and serviceEntry.
But in case the domain names are different between ingress gateway and external Service, it does not work, even though we follow up official non-existent external service sample +https://istio.io/v1.8/docs/reference/config/networking/service-entry/. Any advices on this scenario?
Background:
ISTIO acts as API Gateway for backend data service, which is outside of k8s/istio Cluster.
ISTIO ingress and ServiceEntry are involved. The data flow can be referenced as below architecture diagram. (here only Ingress gateway + serviceEntry involved in advance)
Architecture:
Ingress gateway Domain-Name: +data.sample.com
External Service Domain-Name: +www.baidu.com(sample)
Access Test:
$ kubectl port-forward svc/istio-ingress 8080:8080 -n istio-ingress
$ curl -v -H"Host:data.sample.com" “http://data.sample.com:8080/”
* Trying 192.168.209.77...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x556bc4267fb0)
* Connected to data.sample.com (192.168.209.77) port 8080 (#0)
> GET / HTTP/1.1
> Host:data.sample.com
> User-Agent: curl/7.64.0
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< server: envoy
< date: Fri, 21 Oct 2022 12:55:46 GMT
< content-length: 0
< content-type: text/plain; charset=utf-8
< x-envoy-upstream-service-time: 37
<
* Connection #0 to host data.sample.com left intact
$ kubectl logs -l istio=ingress -c istio-proxy -n istio-ingress
[2022-10-21T09:16:44.289Z] "GET / HTTP/1.1" 403 - via_upstream - "-" 0 0 34 34 "172.28.8.140" "curl/7.64.0" "5ea491d9-bc0f-4bef-adea-a6ecec97be97" "data.sample.com" "110.242.68.3:80" outbound|80||data.sample.com 172.28.8.131:36374 172.28.8.131:8080 172.28.8.140:59370 - -
YAML Configuration:
#Ingress
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: data-gateway2
spec:
selector:
istio: ingress # use istio default controller
servers:
- port:
number: 8080
name: http
protocol: HTTP
hosts:
- data.sample.com
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: data2
spec:
hosts:
- data.sample.com
gateways:
- data-gateway2
http:
- match:
- uri:
exact: /sample
- uri:
prefix: /
route:
- destination:
host: www.baidu.com
port:
number: 80
corsPolicy:
allowOrigins:
- regex: "http://.*"
---
apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
name: mesh-default
namespace: istio-ingress
spec:
accessLogging:
- providers:
- name: envoy
#serviceEntry
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: data-se2
spec:
hosts:
- www.baidu.com
location: MESH_EXTERNAL
ports:
- number: 80
name: http
protocol: HTTP
resolution: DNS
# endpoints:
# - address: +www.baidu.com
# ports:
# http: 80