Is it possible to use Istio as a reverse proxy? (similar to nginx proxy_pass)

8

@Illidan we were tasked with the same challenge two days ago. Looking at this thread helped, but did not solve our problems completely. In the end we got it working after following the Istio guide for TLS origination and then adapting it to our use case.

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: kibana
  namespace: logging
spec:
  hosts:
  - aws.local
  ports:
  - number: 80
    name: http-port
    protocol: HTTP
  - number: 443
    name: https-port-for-tls-origination
    protocol: HTTPS
  resolution: DNS
  endpoints:
    - address: vpc-xxxxxxxxx..amazonaws.com
      ports:
        https: 443
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: kibana
  namespace: logging
spec:
  hosts:
  - aws.local
  http:
  - match:
    - port: 80
    route:
    - destination:
        host: aws.local
        # subset: tls-origination
        port:
          number: 443
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: kibana
  namespace: logging
spec:
  host: aws.local
  # subsets:
  # - name: tls-origination
  trafficPolicy:
    loadBalancer:
      simple: ROUND_ROBIN
    portLevelSettings:
    - port:
        number: 443
      tls:
        mode: SIMPLE # initiates HTTPS

A few changes were made from the Istio guide:

  1. @willian.campos’s suggestion was followed and the fully qualified domain was replaced with aws.local for the “internal host”
  2. The subset definition was removed from the destination rule. Kiali was warning that the kibana virtual service could not access the subset, and there was only one, so it was safe to remove.

At this point I was able to curl http://vpc-xxxxxxxxx..amazonaws.com from the Sleep Pod and achieve the same result as curl https://vpc-xxxxxxxxx..amazonaws.com meaning that the TLS origination was working.

The last thing to do was create another virtual service that would attach to the ingress gateway. Please note that our ingress gateway is performing TLS termination. The virtual service looked like this:

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: kibana-proxy
  namespace: logging
spec:
  hosts:
  - "logging.myproduct.com"
  gateways:
  - istio-system/istio-autogenerated-k8s-ingress
  http:
  - route:
    - destination:
        host: aws.local
        port:
          number: 443

And that completed the POC for us. I’m aware that this solution might have it’s own problems, but I hope it helps.

PS: have you tried to use AWS Cognito to provide a public entry point to Kibana. I’m not sure if it fits your use case, but it might make lives easier.

EDIT:
We had the following setting enabled:

image
image1302×405 22.6 KB

Within the elastic search AWS console: Actions -> Modify encryptions
Toggling this could help with debugging.