I have use case where we want to route certain requests via a corporate HTTP proxy. Based on this guide I was able to configure the external access successfully. For context I’ve added a example ServiceEntry:
apiVersion: networking.istio.io/v1beta1 kind: ServiceEntry metadata: name: proxy spec: addresses: - 10.1.1.1 - 10.1.1.2 exportTo: - . hosts: - foo.proxy # this is technically ignored when protocol is TCP location: MESH_EXTERNAL ports: - name: tcp number: 3128 protocol: TCP
This works when we have the app automatically resolve to one of the proxy addresses above (i.e: host file entry).
In an effort to provide automatic DNS resolution I setup a a k8s Service without selectors as per the docs. In a non istio namespace, this allows me to resolve
foo.proxy.default.cluster.local without the host file entries as expected e.g:
curl -v --proxy foo.default.svc.cluster.local:3128 https://blah.com
However within a istio namespace with the existing ServiceEntry (above) it fails with a
404 Not Found . The logs show:
2021-08-11T08:56:47.088919Z debug envoy router [C1114][S1115555414526221653] no cluster match for URL '' 2021-08-11T08:56:47.088928Z debug envoy http [C1114][S1115555414526221653] Sending local reply with details route_not_found
There are no further istio configurations in this namespace besides the ServiceEntry detailed above.
The only noticeable difference now to me is, instead of connecting directly to the external addresses (10.1.1.1/10.1.1.2) it would be making a connection to the service ClusterIP but given that this is within the mesh I would have thought that no further configuration is required.
Can I get some pointers on why this might not be working?