I would like pods in my mesh to be able to send HTTP requests to a host in the cluster, and then configure Istio to proxy those requests to an external service that is expecting HTTPS. Here’s what I’m experimenting with:
apiVersion: v1 kind: Service metadata: name: httpbin spec: ports: - name: http port: 80 --- apiVersion: extensions/v1beta1 kind: Deployment metadata: name: httpbin spec: replicas: 1 template: metadata: labels: app: httpbin spec: containers: - name: httpbin image: docker.io/kennethreitz/httpbin ports: - containerPort: 80 --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: httpbin spec: gateways: - mesh hosts: - httpbin http: - route: - weight: 0 destination: host: httpbin.default.svc.cluster.local port: number: 80 - weight: 0 destination: host: httpbin.org port: number: 80 - weight: 100 destination: host: httpbin.org port: number: 443 rewrite: authority: httpbin.org --- apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: httpbin spec: hosts: - httpbin.org ports: - number: 80 name: http protocol: HTTP - number: 443 name: https protocol: HTTPS resolution: DNS location: MESH_EXTERNAL
If I change the weights, the first two destinations (to a local or external HTTP service) work, but the third one (to a remote HTTPS service) doesn’t - it hangs for a while then returns 503. I tried experimenting with
DestinationRule to apply a TLS traffic policy to httpbin.org, but it didn’t seem to help.
Is there a way to accomplish this?