I wanted to get some opinion of istio advanced users to see if the error that I face is a bug or misuse of istio.
We have a Kubernetes cluster with istio 1.16.2 and we would like to offer access to an external service to users.
So basically istio behaving as a layer7 reverse proxy.
The problem is that when we successfully provide access to that service requests from within the cluster to that external service no longer work.
We configured an ingress gateway + virtual service:
--- kind: Gateway metadata: name: http-gateway namespace: istio-system spec: selector: istio: ingressgateway servers: - hosts: - '*' port: name: https-443 number: 443 protocol: HTTPS tls: credentialName: istio-http-gateway-secret mode: SIMPLE --- apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: myservice spec: hosts: myservice gateways: - http-gateway http: - route: - destination: host: externalservice port: number: 443 match: - uri: prefix: /
And in order to access the external service we had to create a ServiceEntry and DestinationRule.
It is not clear to me why we had to create the ServiceEntry since the outboundTrafficPolicy mode is ALLOW_ANY
--- apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: externalservice namespace: istio-system spec: hosts: - externalservice ports: - number: 443 name: tls protocol: TLS resolution: DNS location: MESH_EXTERNAL --- apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: externalservice namespace: istio-system spec: host: externalservice trafficPolicy: tls: mode: SIMPLE
Requests to myservice on https work we get a response from externalservice
But the issue that we face is now when we try access https://externalservice from a pod which has the istio sidecar container we get a connection error
curl --trace - https://externalservice returns
= Recv SSL data, 5 bytes (0x5) 0000: 48 54 54 50 2f HTTP/ == Info: error:1408F10B:SSL routines:ssl3_get_record:wrong version number == Info: Closing connection 0 curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
It looks like envoy proxy did a http request.
Request done directly from istio side car container work.
When we delete the destination rule, it then works from the pod but it no longer work for external access through the ingress gateway (https myservice). We get a “the plain http request was sent to https port”
So it is not clear to me
Why we have to create a service entry + destination rule to access external services for access to an external service via an ingress gateway. Is it to force istio to behave as layer 7 reverse proxy ?
Why in that case requests originating from inside the cluster to the external service no longer work and appears to be downgraded to http ?
I did not try to setup an egress gateway but it is not clear to me why I should to fix the issue.
Thank you in advance for your replies