External service https downgraded to http

lucdew · June 3, 2023, 2:42pm

Hi

I wanted to get some opinion of istio advanced users to see if the error that I face is a bug or misuse of istio.

We have a Kubernetes cluster with istio 1.16.2 and we would like to offer access to an external service to users.
So basically istio behaving as a layer7 reverse proxy.

The problem is that when we successfully provide access to that service requests from within the cluster to that external service no longer work.

We configured an ingress gateway + virtual service:

---
kind: Gateway
metadata:
  name: http-gateway
  namespace: istio-system
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - '*'
    port:
      name: https-443
      number: 443
      protocol: HTTPS
    tls:
      credentialName: istio-http-gateway-secret
      mode: SIMPLE
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: myservice
spec:
  hosts: myservice
  gateways:
    - http-gateway
  http:
    - route:
        - destination:
            host: externalservice
            port:
              number: 443
      match:
        - uri:
            prefix: /

And in order to access the external service we had to create a ServiceEntry and DestinationRule.
It is not clear to me why we had to create the ServiceEntry since the outboundTrafficPolicy mode is ALLOW_ANY

---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: externalservice
  namespace: istio-system
spec:
  hosts:
    - externalservice
  ports:
    - number: 443
      name: tls
      protocol: TLS
  resolution: DNS
  location: MESH_EXTERNAL
---

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: externalservice
  namespace: istio-system
spec:
  host: externalservice
  trafficPolicy:
    tls:
      mode: SIMPLE

Requests to myservice on https work we get a response from externalservice

But the issue that we face is now when we try access https://externalservice from a pod which has the istio sidecar container we get a connection error

curl --trace - https://externalservice returns

= Recv SSL data, 5 bytes (0x5)
0000: 48 54 54 50 2f                                  HTTP/
== Info: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
== Info: Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

It looks like envoy proxy did a http request.
Request done directly from istio side car container work.

When we delete the destination rule, it then works from the pod but it no longer work for external access through the ingress gateway (https myservice). We get a “the plain http request was sent to https port”

So it is not clear to me

Why we have to create a service entry + destination rule to access external services for access to an external service via an ingress gateway. Is it to force istio to behave as layer 7 reverse proxy ?
Why in that case requests originating from inside the cluster to the external service no longer work and appears to be downgraded to http ?

I did not try to setup an egress gateway but it is not clear to me why I should to fix the issue.

Thank you in advance for your replies

lucdew · June 7, 2023, 8:21pm

Just wanted to let you know that actually I faced the issue documented Istio / Traffic Management Problems

By connecting on port 80 so in clear up to the istio proxy and have the istio proxy do the TLS to the external service it worked.

Topic		Replies	Views
External access https not passing through istio-proxy Networking	0	552	March 13, 2020
How to originate TLS when forwarding to external ServiceEntry Networking	14	784	July 17, 2023
Can the Istio ingressgateway proxy traffic to external HTTPS service? Networking	3	2427	September 15, 2020
Can I route HTTP traffic as HTTPS to an external service? Networking	8	2640	May 16, 2019
Creating Istio as reverse proxy	0	1097	December 15, 2022

External service https downgraded to http

Related topics