Originate TLS for arbitrary domains

We would like to originate TLS for any outgoing HTTP traffic from our pods. For example all the external requests towards *.service.consul are originally made with HTTP from our applications, and we would like to initiate the TLS in the sidecar in order to enforce the communication’s encryption.

I’ve tried to follow the Wildcard configuration for arbitrary domains documentation, but it only works for requests that originally use HTTPS, I wasn’t able to make it work with HTTP.

There is also this other approach in the documentation TLS origination for egress traffic, but it requires to specify the target domains and I can’t use wildcards such as *.service.consul .

Is there any approach to implement this usecase?

I’m not sure if this is supported, cc some other people who might have better context here, @howardjohn @Oliver

tl;dr no

Long answer: you can but… you cannot set the SNI dynamically (only support static). You cannot properly verify the SAN of the server (which makes it either unreliable or insecure) since we only support exact match. You cannot use egressgateway since it doesn’t support original_dst

That’s what I guessed yes, thanks a lot for the answer!

Envoy offers dymanic forward proxy. With that(applied as envoy filer) you will not need any explicit service entry to be added and instruct envoy to originate tls for a regex matched domains.