Can I route HTTP traffic as HTTPS to an external service?


#1

I would like pods in my mesh to be able to send HTTP requests to a host in the cluster, and then configure Istio to proxy those requests to an external service that is expecting HTTPS. Here’s what I’m experimenting with:

apiVersion: v1
kind: Service
metadata:
  name: httpbin
spec:
  ports:
  - name: http
    port: 80
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: httpbin
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: httpbin
    spec:
      containers:
      - name: httpbin
        image: docker.io/kennethreitz/httpbin
        ports:
        - containerPort: 80
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: httpbin
spec:
  gateways:
  - mesh
  hosts:
  - httpbin
  http:
    - route:
      - weight: 0
        destination:
          host: httpbin.default.svc.cluster.local
          port:
            number: 80
      - weight: 0
        destination:
          host: httpbin.org  
          port:
            number: 80
      - weight: 100
        destination:
          host: httpbin.org  
          port:
            number: 443
      rewrite:
        authority: httpbin.org
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: httpbin
spec:
  hosts:
  - httpbin.org
  ports:
  - number: 80
    name: http
    protocol: HTTP
  - number: 443
    name: https
    protocol: HTTPS
  resolution: DNS
  location: MESH_EXTERNAL

If I change the weights, the first two destinations (to a local or external HTTP service) work, but the third one (to a remote HTTPS service) doesn’t - it hangs for a while then returns 503. I tried experimenting with DestinationRule to apply a TLS traffic policy to httpbin.org, but it didn’t seem to help.

Is there a way to accomplish this?


#2

Can you share your VirtualService and DestinationRule?

  • EDIT sorry, failed to realize the text box scrolled

#3

do you have the istio-egressgateway deployed? This example from the docs seems to cover your usecase: https://preliminary.istio.io/docs/examples/advanced-gateways/egress-gateway-tls-origination/#perform-tls-origination-with-an-egress-gateway

Key takeaways, in your ServiceEntry, port 443 is actually defined as type HTTP, and the DestinationRule initiates the HTTPS