4

We use istio to use distributed tracing. Our microservices sometimes need to hit external APIs, which usually communicate over https.

To measure the exact performance of the whole system, we want to trace the communication when hitting an external API.
However, distributed tracing requires access to the header of the request, but https does not allow access because the header is encrypted.
For confirmation, I deployed bookinfo on GKE with istio enabled, entered the productpage container of the productpage pod, and executed the following command.

$ curl http://google.com
$ curl https://google.com

Only http communication was displayed on zipkin.

Is it possible to get a series of traces, including APIs that use external https?

yu saito
  • 125
  • 7
  • Based on [github](https://github.com/IBM/opentracing-istio-troubleshooting/blob/master/README.md#setup) by default the sampling frequency tracing is 1%. Could You try to change it to 100% and try then ? Let me know if that's works then. – Jakub Jan 27 '20 at 12:05
  • This test was done after setting the sampling rate to 100%. – yu saito Jan 28 '20 at 05:23
  • 1
    Check out those 2 links, [envoy](https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/trace/v2/trace.proto#config-trace-v2-tracing), [stackoverflow](https://stackoverflow.com/questions/187655/are-https-headers-encrypted), based on that i would say it's not possible to use zipkin to track https. Let me know if that answer your question. – Jakub Jan 28 '20 at 13:55
  • 1
    Thank you for your information. I read your link, and I understand that envoy does not provide https tracer. – yu saito Jan 29 '20 at 06:52

2 Answers2

1

Based on envoy documentation it doesn't support https tracing.

The tracing configuration specifies global settings for the HTTP tracer used by Envoy. The configuration is defined by the Bootstrap tracing field. Envoy may support other tracers in the future, but right now the HTTP tracer is the only one supported.

And this post on stackoverflow

HTTPS (HTTP over SSL) sends all HTTP content over a SSL tunel, so HTTP content and headers are encrypted as well.

I have even tried to reproduce that, but like in your case zipkin worked only for http.

Based on that I would say it's not possible to use zipkin to track https.

Jakub
  • 8,189
  • 1
  • 17
  • 31
0

You should use egress-gateway. When all external calls go to the gateway, istio can get the metadata and does some tracing works. There are many advantages when using ingress/egress gateway:

  • Increasing security: We can set up all security rules at the gateway.
  • Abstraction the application logic: Instead of configuring settings at each microservices.
  • TLS processing: Like the above example, envoy can have all the necessary data in HTTPS requests.
hqt
  • 29,632
  • 51
  • 171
  • 250
  • Do you also need to make a plain HTTP call to the service, and let the egress gateway do TLS origination? – David Maze Jan 27 '20 at 10:31
  • 1
    Unfortunately, it does not work... I followed [egress-gateway](https://istio.io/docs/tasks/traffic-management/egress/egress-gateway/#egress-gateway-for-https-traffic), I could not get span info. I think egress-gateway traces https requrest info, but it is not span that a part of trace. – yu saito Jan 29 '20 at 06:48