Egressgateway via MTLS to TLS origination

Hello, Thanks for taking a look.

Goal:
my goal is for consumer to http invoke derp.alias.svc.cluster.local (which is an alias for an external service) which the istio cluster sends via the egressgateway.

Flow:
consumer (HTTP invoke, turns into MTLS) →
derp.alias.svc.cluster.local (rewrite authority and route to gateway) →
istio-egressgateway.istio-system.svc.cluster.local (MTLS termination, TLS origination) →
external service (EG edition.cnn.com)

Note: I am pinned back to Istio 1.7.6 for reasons.

Questions:

1. The configuration I have below WORKS (egressgateway to TLS to cnn.com) but I cannot tell that the MTLS is working from Consumer to Egressgateway.
2. Does "k8s-pod/security_istio_io/tlsMode": "istio", in the log below mean it was wrapped in MTLS?

(I can only put “4 links per post” so will follow on with details)

Consumer Log:

{
  "insertId": "qb0kznkwcrl0ggds",
  "jsonPayload": {
    "upstream_service_time": "55",
    "path": "/",
    "istio_policy_status": "-",
    "duration": "113",
    "request_id": "4a199464-bfcf-9fb9-96b6-8bf5bde1dbd1",
    "start_time": "2021-06-25T19:23:00.102Z",
    "upstream_host": "10.132.0.133:8080",
    "upstream_local_address": "10.132.0.146:35038",
    "upstream_transport_failure_reason": "-",
    "bytes_received": "0",
    "route_name": "test-80-redirect-external",
    "response_code": "200",
    "downstream_remote_address": "10.132.0.146:54490",
    "x_forwarded_for": "-",
    "authority": "edition.cnn.com",
    "downstream_local_address": "10.128.218.207:80",
    "method": "GET",
    "protocol": "HTTP/1.1",
    "requested_server_name": "-",
    "bytes_sent": "1121053",
    "upstream_cluster": "outbound|80||istio-egressgateway.istio-system.svc.cluster.local",
    "user_agent": "curl/7.77.0-DEV",
    "response_flags": "-"
  },
  "resource": {
    "type": "k8s_container",
    "labels": {
      "cluster_name": "sandbox-cluster-2",
      "container_name": "istio-proxy",
      "namespace_name": "curlservice",
      "location": "us-central1",
      "project_id": "alo-sandbox",
      "pod_name": "curlservice-55697b888c-lvg4b"
    }
  },
  "timestamp": "2021-06-25T19:23:05.236676526Z",
  "severity": "INFO",
  "labels": {
    "k8s-pod/service_istio_io/canonical-name": "curlservice",
    "k8s-pod/security_istio_io/tlsMode": "istio",
    "k8s-pod/app": "curlservice",
    "k8s-pod/istio_io/rev": "default",
    "k8s-pod/service_istio_io/canonical-revision": "latest",
    "k8s-pod/pod-template-hash": "55697b888c",
    "compute.googleapis.com/resource_name": "gke-sandbox-cluster--sandbox-cluster--468a00a7-kxch"
  },
  "logName": "projects/alo-sandbox/logs/stdout",
  "receiveTimestamp": "2021-06-25T19:23:08.203341587Z"
}

Egressgateway log

{
  "insertId": "kkruie6hm4iuhluz",
  "jsonPayload": {
    "protocol": "HTTP/2",
    "requested_server_name": "edition.cnn.com",
    "method": "GET",
    "upstream_service_time": "50",
    "duration": "107",
    "authority": "edition.cnn.com",
    "upstream_host": "151.101.129.67:443",
    "downstream_local_address": "10.132.0.133:8080",
    "request_id": "4a199464-bfcf-9fb9-96b6-8bf5bde1dbd1",
    "upstream_transport_failure_reason": "-",
    "response_flags": "-",
    "x_forwarded_for": "10.132.0.146",
    "istio_policy_status": "-",
    "upstream_local_address": "10.132.0.133:48716",
    "bytes_received": "0",
    "route_name": "-",
    "path": "/",
    "start_time": "2021-06-25T19:23:00.107Z",
    "upstream_cluster": "outbound|443||edition.cnn.com",
    "downstream_remote_address": "10.132.0.146:35038",
    "response_code": "200",
    "bytes_sent": "1121053",
    "user_agent": "curl/7.77.0-DEV"
  },
  "resource": {
    "type": "k8s_container",
    "labels": {
      "pod_name": "istio-egressgateway-b5c9c5-7xn49",
      "project_id": "alo-sandbox",
      "location": "us-central1",
      "cluster_name": "sandbox-cluster-2",
      "namespace_name": "istio-system",
      "container_name": "istio-proxy"
    }
  },
  "timestamp": "2021-06-25T19:23:07.306082290Z",
  "severity": "INFO",
  "labels": {
    "k8s-pod/chart": "gateways",
    "k8s-pod/service_istio_io/canonical-name": "istio-egressgateway",
    "k8s-pod/service_istio_io/canonical-revision": "latest",
    "k8s-pod/heritage": "Tiller",
    "k8s-pod/app": "istio-egressgateway",
    "k8s-pod/istio": "egressgateway",
    "k8s-pod/release": "istio",
    "compute.googleapis.com/resource_name": "gke-sandbox-cluster--sandbox-cluster--468a00a7-kxch",
    "k8s-pod/pod-template-hash": "b5c9c5"
  },
  "logName": "projects/alo-sandbox/logs/stdout",
  "receiveTimestamp": "2021-06-25T19:23:08.201939238Z"
}

I’m following examples

• istio.io/v1.7/docs/tasks/traffic-management/egress/egress-tls-origination/
• istio.io/v1.7/docs/tasks/traffic-management/egress/wildcard-egress-hosts/
• istio.io/v1.7/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/

NS: alias

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  namespace: alias
  name: derp
spec:
  gateways:
  - mesh
  hosts:
  - derp.alias.svc.cluster.local
  http:
  - name: "test-80-redirect-external"
    match:
      - gateways:
        - mesh
        port: 80
    rewrite:
      authority: edition.cnn.com
    route:
    - destination:
        host: istio-egressgateway.istio-system.svc.cluster.local
        port:
          number: 80

NS: istio-system

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: cnn
spec:
  hosts:
  - edition.cnn.com
  ports:
  - number: 443
    name: https
    protocol: HTTPS
  resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: istio-egressgateway
spec:
  selector:
    istio: egressgateway
  servers:
  - port:
      number: 80
      name: https-port-for-tls-origination
      protocol: HTTPS
    hosts:
    - "*.cnn.com"
    tls:
      mode: ISTIO_MUTUAL
---
# NOTE: This presents the same SNI (edition.cnn.com) outbound to *.cnn.com 
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: egressgateway-for-cnn
spec:
  host: istio-egressgateway.istio-system.svc.cluster.local
  trafficPolicy:
    loadBalancer:
      simple: ROUND_ROBIN
    portLevelSettings:
    - port:
        number: 80
      tls:
        mode: ISTIO_MUTUAL
        sni: edition.cnn.com
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: direct-cnn-through-egress-gateway
spec:
  hosts:
  - "*.cnn.com"
  gateways:
  - istio-egressgateway
  - mesh
  http:
  - match:
    - gateways:
      - mesh
      port: 80
    route:
    - destination:
        host: istio-egressgateway.istio-system.svc.cluster.local
        port:
          number: 80
  - match:
    - gateways:
      - istio-egressgateway
      port: 80
    route:
    - destination:
        host: edition.cnn.com
        port:
          number: 443
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: originate-tls-for-edition-cnn-com
spec:
  host: "*.cnn.com"
  trafficPolicy:
    loadBalancer:
      simple: ROUND_ROBIN
    portLevelSettings:
    - port:
        number: 443
      tls:
        mode: SIMPLE # initiates HTTPS for connections to *.cnn.com

To partially answer my own question regarding the log labels, I think it’s just the pod has the label security.istio.io/tlsMode: istio on it, it’s nothing annotating the flow. I am still not sure how I can tell if the flow is MTLS.