Hello,
I was wondering if there was a way to configure the PassthroughCluster (as created when using the ALLOW_ANY outbound traffic policy) to enable https inspection for traffic going out on port 443.
At the moment for http traffic we get the istio_request_total metric with the destination_service set to the host a workload is connecting to, which I find really useful.
istio_requests_total{connection_security_policy=“unknown”, destination_app=“unknown”, destination_canonical_revision=“latest”, destination_canonical_service=“unknown”, destination_principal=“unknown”, destination_service=“google.com”, destination_service_name=“PassthroughCluster”, destination_service_namespace=“unknown”, destination_version=“unknown”, destination_workload=“unknown”, destination_workload_namespace=“unknown”, instance=“10.1.167.248:15090”, job=“envoy-stats”, namespace=“foo”, pod_name=“shell-74bfb49c86-8bsql”, reporter=“source”, request_protocol=“http”, response_code=“301”, response_flags="-", source_app=“unknown”, source_canonical_revision=“latest”, source_canonical_service=“shell”, source_principal=“unknown”, source_version=“unknown”, source_workload=“shell”, source_workload_namespace=“foo”}
But for https traffic, we don’t get any istio_requests_total metric, just the istio_tcp_sent_bytes_total without host information (as it doesn’t inspect the sni header).
Is it possible to do this ?
Thanks