Issue in proxying AWS Opensearch Dashboard endpoint

Networking
1

Hi,

I’ve an endpoint which I need to proxy via istio ingressgateway.

I need to proxy https://log.mydomain.com/ for https://vpc-dev-abcdefghi134klm.us-east-1.es.amazonaws.com/_dashboards/`

I’m basically trying to expose an internal (which is only accessible inside my EKS VPC) Opensearch dashboard URL to outside world. Since the target URL is not public, I cannot do a simple redirect.

I’ve created a ServiceEntry, Virtual Service, Gateway and a Destination rule to achieve this.

I’m able to hit https://log.mydomain.com/_dashboards and get what I need with following configuration :

apiVersion: v1
items:
- apiVersion: networking.istio.io/v1beta1
  kind: Gateway
  metadata:
    name: logging-gateway
    namespace: logging
  spec:
    selector:
      istio: ingressgateway
    servers:
    - hosts:
      - log.mydomain.com
      port:
        name: http
        number: 80
        protocol: HTTP
kind: List
metadata:
  resourceVersion: ""
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: kibana
  namespace: logging
spec:
  gateways:
    - logging-gateway
  hosts:
    - log.mydomain.com
  http:
    - match:
        - uri:
            prefix: "/"
      rewrite:
        uri: "/"
        authority: vpc-dev-abcdefghi134klm.us-east-1.es.amazonaws.com
      route:
        - destination:
            host: vpc-dev-abcdefghi134klm.us-east-1.es.amazonaws.com
            port:
              number: 443
---
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: kibana
  namespace: logging
spec:
  hosts:
    - vpc-dev-abcdefghi134klm.us-east-1.es.amazonaws.com
  location: MESH_EXTERNAL
  ports:
    - number: 443
      name: https
      protocol: TLS
  resolution: DNS
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: kibana
  namespace: logging
spec:
  host: "vpc-dev-abcdefghi134klm.us-east-1.es.amazonaws.com"
  trafficPolicy:
    tls:
      mode: SIMPLE

But like I stated first, my intention is to hit https://log.mydomain.com/ and get the dashboard. For that, changed rewrite.uri to have /_dashboards/ .

I was hoping all the calls to target host ie, vpc-dev-abcdefghi134klm.us-east-1.es.amazonaws.com will now become vpc-dev-abcdefghi134klm.us-east-1.es.amazonaws.com/_dashboards/.

But I’m getting {"statusCode":401,"error":"Unauthorized","message":"Authentication required"} and I can see the URL on the browser becoming https://log.mydomain.com/_dashboards/app/login?nextUrl=%2F_dashboards%2F

When the rewrite uri is empty, if we hit https://log.mydomain.com/_dashboards/, URL on the browser becomes https://log.mydomain.com/_dashboards/app/login?nextUrl=%2F_dashboards%2F and the dashboard loads.

I think opensearch api does some endpoint rewriting internally to make _dashboards/ as _dashboards/app/login?nextUrl=%2F_dashboards%2F. When this combines with Istio rewriting, the enpoint becomes invalid.

Is there a way I can fix this?

This works perfectly fine with Nginx ingress controller if I use nginx.ingress.kubernetes.io/app-root annotation.

Is there a similar feature in Istio?

2

I was able to get achive what I need by adding one more virtualservice to do the redirection as following :

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: kibana-redirection
  namespace: logging
spec:
  gateways:
    - logging-gateway
  hosts:
    - log.mydomain.com
  http:
    - match:
        - uri:
            exact: "/"
      redirect:
        uri: "/_dashboards/"
        authority: log.mydomain.com

It would’ve been great if there’s a simple way to achieve this.