Hi
I wanted to get some opinion of istio advanced users to see if the error that I face is a bug or misuse of istio.
We have a Kubernetes cluster with istio 1.16.2 and we would like to offer access to an external service to users.
So basically istio behaving as a layer7 reverse proxy.
The problem is that when we successfully provide access to that service requests from within the cluster to that external service no longer work.
We configured an ingress gateway + virtual service:
---
kind: Gateway
metadata:
name: http-gateway
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- '*'
port:
name: https-443
number: 443
protocol: HTTPS
tls:
credentialName: istio-http-gateway-secret
mode: SIMPLE
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: myservice
spec:
hosts: myservice
gateways:
- http-gateway
http:
- route:
- destination:
host: externalservice
port:
number: 443
match:
- uri:
prefix: /
And in order to access the external service we had to create a ServiceEntry and DestinationRule.
It is not clear to me why we had to create the ServiceEntry since the outboundTrafficPolicy mode is ALLOW_ANY
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: externalservice
namespace: istio-system
spec:
hosts:
- externalservice
ports:
- number: 443
name: tls
protocol: TLS
resolution: DNS
location: MESH_EXTERNAL
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: externalservice
namespace: istio-system
spec:
host: externalservice
trafficPolicy:
tls:
mode: SIMPLE
Requests to myservice on https work we get a response from externalservice
But the issue that we face is now when we try access https://externalservice from a pod which has the istio sidecar container we get a connection error
curl --trace - https://externalservice returns
= Recv SSL data, 5 bytes (0x5)
0000: 48 54 54 50 2f HTTP/
== Info: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
== Info: Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
It looks like envoy proxy did a http request.
Request done directly from istio side car container work.
When we delete the destination rule, it then works from the pod but it no longer work for external access through the ingress gateway (https myservice). We get a “the plain http request was sent to https port”
So it is not clear to me
-
Why we have to create a service entry + destination rule to access external services for access to an external service via an ingress gateway. Is it to force istio to behave as layer 7 reverse proxy ?
-
Why in that case requests originating from inside the cluster to the external service no longer work and appears to be downgraded to http ?
I did not try to setup an egress gateway but it is not clear to me why I should to fix the issue.
Thank you in advance for your replies