Hi,
I have a 3rd party service, like api.service.com. I want our user to access it through our cluster, so I created a Virtual Service, a Service Entry and a Destination Rule for it as follows:
... # virtual service
- name: api-service
match:
- uri:
prefix: /third-party-api/
rewrite:
authority: api.service.com
route:
- destination:
host: api.service.com
port:
number: 443
headers:
request:
add:
Authorization: ApiKey {{ .Values.secrets.some-key }}
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: api-service
spec:
hosts:
- api.service.com
location: MESH_EXTERNAL
ports:
- number: 443
name: https
protocol: HTTPS
resolution: DNS
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: api-service
spec:
host: api.service.com
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
tls:
mode: SIMPLE
Now, I can do curl http://my.service.com/third-party-api/get-data, and the endpoint works.
However, I have a dotnet application in the cluster that also needs to access this api.service.com service. But when the app sends the request, it gets an SSL error. I sshed to the container and tried to use wget to hit the endpoint, and it also got an SSL error.
I knew my dotnet worked before I applied the above settings. So I did some ablation experiments and found the Destination Rule is the culprit. If I remove the destination rule object, my dotnet app can access the service, but I cannot access the 3rd partying API through the virtual service.
But I could not figure out what’s wrong with that destination rule settings.
Thanks