TLS origination for egress traffic test failing when k8s is behind corporate proxy

,
1

Hi All,
We have Openshift k8s cluster deployed behind corporate proxy. We enabled Istio and now running maistra-test-tool 2.3 tests.

Since k8s cluster is behind corporate proxy we have to use http_proxy/https_proxy inside pod for egress tests and we are using --proxy in the curl command.
e.g
kubectl exec sleep-85df789ffc-7k7kc -n bookinfo -c sleep -- curl --proxy <corporate-proxy> -sSL -o /dev/null -D - http://istio.io

But this test maistra-test-tool/test_cases.go at 769761a788d95e070c33ae51dc1afe7c32803cd3 · maistra/maistra-test-tool · GitHub is failing which is testing scenario Istio / Egress TLS Origination.

As part of this test, following service entry and destination rule is created and it is expected to initiate https connection for http://istio.io

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: istio-io
spec:
  hosts:
  - istio.io
  ports:
  - number: 80
    name: http-port
    protocol: HTTP
    targetPort: 443
  - number: 443
    name: https-port
    protocol: HTTPS
  resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: edition-istio-io
spec:
  host: istio.io
  trafficPolicy:
    portLevelSettings:
    - port:
        number: 80
      tls:
        mode: SIMPLE # initiates HTTPS when accessing istio.io

But request is going out as http://istio.io/ and we are getting 301 and then request is redirected to https://istio.io which is not expected, instead request should go out as https://istio.io and we should get 200 OK response directly.

Test case logs

INFO[2023-01-16T03:01:17-05:00] Running command kubectl exec sleep-85df789ffc-7k7kc -n bookinfo -c sleep -- curl --proxy <corporate-proxy> -sSL -o /dev/null -D - http://istio.io
INFO[2023-01-16T03:01:17-05:00] Command output:
HTTP/1.1 301 Moved Permanently
Location: https://istio.io/
Server: Netlify
X-Nf-Request-Id: 01GPWSKDNVGKBQJCDP0WH7ZBRA
Date: Mon, 16 Jan 2023 08:02:16 GMT
Content-Length: 32
Content-Type: text/plain; charset=utf-8
Via: 1.1 sjc05-73m-lab-wsa-1.cisco.com:80 (Cisco-WSA/X)
Connection: keep-alive
Proxy-Connection: keep-alive

HTTP/1.1 200 Connection established

HTTP/2 200
access-control-allow-origin: *
age: 4311
cache-control: public, max-age=0, must-revalidate
content-type: text/html; charset=UTF-8
date: Mon, 16 Jan 2023 06:50:26 GMT
etag: "4dd9469a5840a4d840b9304eb9a0f1e8-ssl"
server: Netlify
strict-transport-security: max-age=31536000
x-frame-options: SAMEORIGIN
x-nf-request-id: 01GPWSKDWY12ZBBND9XK1Q22WX
x-xss-protection: 1; mode=block
content-length: 30722

So how do we validate this scenario ? Any other configuration is needed for this istio test when k8s is behind corporate proxy ?

2

Adding more updates,
I had already created a ServiceEntry for corporate proxy as mentioned here Istio / Using an External HTTPS Proxy.

But in the same link at the bottom it says

Note that you must not create service entries for the external services you access through the external proxy, like wikipedia.org.
This is because from Istio’s point of view the requests are sent to the external proxy only;
Istio is not aware of the fact that the external proxy forwards the requests further.

With this we can see that sidecar is redirecting request to corporate proxy and corporate proxy sending request out, but because of this, DestinationRule created to translate http to https does not hit.

Now question arises, is this a valid test for k8s cluster behind a corporate proxy ?