I’m currently investigating Istio as a service mesh solution for our data processing stack. A part of what I’m trying to solve is that our datalake service, Trino, only allows authentication when connected to via HTTPS. Istio’s mTLS would enable us to get other services within the cluster to automatically trust Trino without having to roll out our own CA certificate manually to every client.
The only thing that would be required for Trino to accept that it’s being served via an encrypted connection is that the downstream passes on an appropriate
Forwarded header, such as
X-Forwarded-Proto. Istio’s Envoy sidecar does that already, however in my testing with a simple echo server and cURL from another container with a sidecar, I only ever received the
http value for the
I was able to confirm that mTLS is working at all since the server also gets the
X-Forwarded-Client-Cert header in the request. Am I simply wrong in my understanding of how the proxy is supposed to work? Since it’s terminating the TLS connection and understands that it’s HTTP traffic, I assumed it would also pass on
https as the forwarded protocol.
The config for my test server looks like this, deployed on my local minikube instance running Istio v1.11.4 installed with the “minimal” profile:
apiVersion: v1 kind: Namespace metadata: name: istio-test --- apiVersion: v1 kind: Service metadata: name: echo-server namespace: istio-test labels: app: echo-server spec: type: ClusterIP ports: - port: 8080 targetPort: 8080 protocol: TCP selector: app: echo-server --- apiVersion: apps/v1 kind: Deployment metadata: name: echo-server namespace: istio-test spec: selector: matchLabels: app: echo-server replicas: 1 template: metadata: labels: app: echo-server sidecar.istio.io/inject: "true" spec: containers: - name: echo-server image: gcr.io/google-containers/echoserver:1.10 ports: - containerPort: 8080
No matter which proxied pod I send a request (e.g.
curl http://echo-server.istio-test.svc.cluster.local:8080/) from, I only get ever see
x-forwarded-proto=http in the eched request.
Am I missing some obvious configuration option or are my assumptions fundamentally wrong? Any help would be appreciated!