Accessing an HTTPS service egress, istio v1.0

9/20/2018

I am trying to enable a deployment in the gateway namespace to send metrics to an external service at engine-report.apollodata.com

I have written the following service entry and virtual service rules, as per the Istio documentation yet no traffic is able to access the endpoint.

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: apollo-engine-ext
  namespace: {{ .Release.Namespace }}
  labels:
      chart: {{ .Chart.Name }}
      release: {{ .Release.Name }}
      heritage: {{ .Release.Service }}
spec:
  hosts:
  - '*.apollodata.com'
  ports:
  - number: 80
    name: http
    protocol: HTTP
  - number: 443
    name: https
    protocol: HTTPS
  resolution: DNS
  location: MESH_EXTERNAL

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: apollo-engine-ext
  namespace: {{ .Release.Namespace }}
  labels:
      chart: {{ .Chart.Name }}
      release: {{ .Release.Name }}
      heritage: {{ .Release.Service }}
spec:
  hosts:
  - '*.apollodata.com'
  tls:
  - match:
    - port: 443
      sni_hosts:
      - '*.apollodata.com'
    route:
    - destination:
        host: '*.apollodata.com'
        port:
          number: 443
      weight: 100

What might be causing this issue

-- Pegladon
istio
kubernetes

2 Answers

10/3/2018

I think the problem is that you are using DNS resolution in a ServiceEntry with a wildcard host. According to the documentation, if there are no endpoints in the ServiceEntry the DNS resolution will only work if the host is not a wildcard.

If the endpoints are DNS resolvable by the application, then it should work if you set the resolution to NONE.

-- Frank B
Source: StackOverflow

9/24/2018

Using the following configuration, the issue was resolved. I'm still unsure as to what was causing the issue. In clarification of some of the comments to my original question. Using the original configuration, it was possible to curl http://engine-report.apollodata.com and https://engine-report.apollodata.com endpoints, but as intended through the istio service mesh external endpoints like http://www.google.com were unavailable.

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: "apollo-engine-ext"
  namespace: {{ .Release.Namespace }}
  labels:
      chart: {{ .Chart.Name }}
      release: {{ .Release.Name }}
      heritage: {{ .Release.Service }}
spec:
  hosts:
  - apollodata.com
  - engine-report.apollodata.com
  - apollographql.com
  location: MESH_EXTERNAL
  ports:
  - number: 443
    name: https
    protocol: HTTPS
  - number: 80
    name: http
    protocol: HTTP
  resolution: DNS

---

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: "apollo-engine-ext"
  namespace: {{ .Release.Namespace }}
  labels:
      chart: {{ .Chart.Name }}
      release: {{ .Release.Name }}
      heritage: {{ .Release.Service }}
spec:
  hosts:
  - apollodata.com
  - engine-report.apollodata.com
  - apollographql.com
  tls:
  - match:
    - port: 443
      sniHosts:
      - apollodata.com
    route:
    - destination:
        host: apollodata.com
  - match:
    - port: 443
      sniHosts:
      - engine-report.apollodata.com
    route:
    - destination:
        host: engine-report.apollodata.com
  - match:
    - port: 443
      sniHosts:
      - apollographql.com
    route:
    - destination:
        host: apollographql.com
-- Pegladon
Source: StackOverflow