Proxy to egress gateway is not working

mashail · May 13, 2023, 8:26pm

Hello,

We have a cluster were all traffic is blocked and only allowed through the egress both HTTP and HTTPS. We have this RequestAuthentication where its gets the jwks from googleapis

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: api
spec:
selector:
matchLabels:
app.kubernetes.io/name: api
jwtRules:
- issuer: https://accounts.google.com
jwksUri: https://www.googleapis.com/oauth2/v3/certs
forwardOriginalToken: true
fromHeaders:
- name: authorization
prefix: bearer

and we have these configs for googleapis to route it to the egress gateway

However, the proxy is not able to access googleapis to verify the toke while from the app container is able to access it

mashail · May 13, 2023, 8:27pm

Here is the egress gateway configs


# Source: external-services-egress/templates/egress.yaml
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: external-services-egressgateway
  namespace: istio-system
spec:
  host: external-services-egressgateway.istio-system.svc.cluster.local
  subsets:
    - name: www-googleapis-com
---
# Source: external-services-egress/templates/egress.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: external-services-egressgateway
  namespace: istio-system
spec:
  selector:
    istio: external-services-egressgateway
  servers:
    - port:
        number: 443
        name: tls
        protocol: TLS
      hosts:
        - www.googleapis.com
      tls:
        mode: PASSTHROUGH
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: external-services
  namespace: istio-system
spec:
  hosts:
    - www.googleapis.com
  ports:
    - number: 80
      name: http
      protocol: HTTP
    - number: 443
      name: https
      protocol: HTTPS
  resolution: DNS
----
# Source: external-services-egress/templates/egress.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: direct-external-services-through-egress-gateway
  namespace: istio-system
spec:
  hosts:
    - www.googleapis.com
  gateways:
    - istio-system/external-services-egressgateway
    - mesh
  tls:
    - match:
        - gateways:
            - mesh
          port: 443
          sniHosts:
            - www.googleapis.com
      route:
        - destination:
            host: external-services-egressgateway .istio-system.svc.cluster.local
            subset: www-googleapis-com
            port:
              number: 443
          weight: 100
    - match:
        - gateways:
            - istio-system/external-services-egressgateway
          port: 443
          sniHosts:
            - www.googleapis.com
      route:
        - destination:
            host: www.googleapis.com
            port:
              number: 443
          weight: 100
---

mashail · May 13, 2023, 8:31pm

Here here is the result of proxy config cluster

www.googleapis.com                                                            80        -                               outbound      STRICT_DNS       
www.googleapis.com                                                            443       -                               outbound      STRICT_DNS