5

Istio does not route to external HTTPs service via TLS origination.

I have a pod containing two containers: - Application - ISTIO Proxy

Application makes a call to external third party API which resides on https://someurl.somedomain.com/v1/some-service

Application sends HTTP requests to this service by calling http://someurl.somedomain.com/v1/some-service - notice that it's HTTP and not HTTPs.

I then configured the following in ISTIO:

  • Virtual service to route HTTP traffic to port 443:
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: someservice-vs
spec:
  hosts:
  - someurl.somedomain.com
  http:
  - match:
    - port: 80    
    route:
    - destination:
        host: someurl.somedomain.com
        port:
          number: 443      
    timeout: 40s
    retries:
      attempts: 10
      perTryTimeout: 4s      
      retryOn: gateway-error,connect-failure,refused-stream,retriable-4xx,5xx
  • Service Entry that allows the traffic out. As you can see, we specify that service is external to the mesh and we opened 443 and 80 both of which use HTTP, but 443 is configured for TLS origination.
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: someservice-se
spec:
  hosts:
  - someurl.somedomain.com
  location: MESH_EXTERNAL
  ports:
  - number: 443
    name: http-port-for-tls-origination
    protocol: HTTP
  - number: 80
    name: http-port
    protocol: HTTP
  resolution: DNS

Finally, I have a destination rule that applies simple TLS to the outgoing traffic:


---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: someservice-destinationrule
spec:
  host: someurl.somedomain.com
  trafficPolicy:
    loadBalancer:
      simple: ROUND_ROBIN
    portLevelSettings:
    - port:
        number: 443
      tls:
        mode: SIMPLE # initiates HTTPS when accessing someurl.somedomain.com

For some reason this does not work and I get 404 when calling the service from my application container, which indicates that traffic isn't being encrypted via TLS.

The reason why I use TLS origination is because I need to apply re-tries in my virtual service and I can only do this with HTTP routes as otherwise ISTIO cannot see request and work with it.

Been scratching my head for two days and need some help please :-)

P Ekambaram
  • 15,499
  • 7
  • 34
  • 59
vikp
  • 151
  • 1
  • 9
  • 1
    Can you try using a dedicated egress gateway for this? – Dmitriy Zhukov May 15 '19 at 23:08
  • Hi Dmitry, can you please elaborate as I'm new to ISTIO? I have one ingress gateway for incoming requests that get routed to mesh internal service, but that's it. – vikp May 16 '19 at 08:34

3 Answers3

2

Got to the bottom of this. ISTIO documentation was correct - TLS origination and retries work as expected.

The issue was caused by the perTryTimeout value which was too low. Requests were not completing in allocated time, so the gateway was timing out. It caught us out because the external service's performance has degraded recently and we didn't think to check it.

vikp
  • 151
  • 1
  • 9
1

I think it should work like so:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: someservice-vs
spec:
  hosts:
    - someurl.somedomain.com
  http:
    - match:
        - port: 80
      route:
        - destination:
            host: someurl.somedomain.com
      timeout: 40s
      retries:
        attempts: 10
        perTryTimeout: 4s
        retryOn: gateway-error,connect-failure,refused-stream,retriable-4xx,5xx
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: someservice-se
spec:
  hosts:
    - someurl.somedomain.com
  location: MESH_EXTERNAL
  ports:
    - number: 80
      protocol: HTTP
      name: http
  endpoints:
    - address: someurl.somedomain.com
      ports:
        http: 443
  resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: someservice-destinationrule
spec:
  host: someurl.somedomain.com
  trafficPolicy:
    loadBalancer:
      simple: ROUND_ROBIN
    tls:
      mode: SIMPLE # initiates HTTPS when accessing someurl.somedomain.com

Make the ServiceEntry listen on port 80 but with the endpoint address pointing to port 443. Then the DestinationRule applies TLS for everything targeting port 80, which is eventually forwarded via the endpoints of the cluster to port 443.

Robert Panzer
  • 1,419
  • 12
  • 14
0

Configuring TLS origination is documented here.

The configuration shown above is correct. Turns out the actual problem was caused by an insufficient timeout in the virtual service, not the TLS origination.

https://discuss.istio.io/t/can-i-route-http-traffic-as-https-to-an-external-service/489/8

Frank B
  • 900
  • 4
  • 12