Istio does not route to external HTTPs service via TLS origination.
I have a pod containing two containers: - Application - ISTIO Proxy
Application makes a call to external third party API which resides on https://someurl.somedomain.com/v1/some-service
Application sends HTTP requests to this service by calling http://someurl.somedomain.com/v1/some-service - notice that it's HTTP and not HTTPs.
I then configured the following in ISTIO:
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: someservice-vs
spec:
hosts:
- someurl.somedomain.com
http:
- match:
- port: 80
route:
- destination:
host: someurl.somedomain.com
port:
number: 443
timeout: 40s
retries:
attempts: 10
perTryTimeout: 4s
retryOn: gateway-error,connect-failure,refused-stream,retriable-4xx,5xx apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: someservice-se
spec:
hosts:
- someurl.somedomain.com
location: MESH_EXTERNAL
ports:
- number: 443
name: http-port-for-tls-origination
protocol: HTTP
- number: 80
name: http-port
protocol: HTTP
resolution: DNSFinally, I have a destination rule that applies simple TLS to the outgoing traffic:
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: someservice-destinationrule
spec:
host: someurl.somedomain.com
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 443
tls:
mode: SIMPLE # initiates HTTPS when accessing someurl.somedomain.com For some reason this does not work and I get 404 when calling the service from my application container, which indicates that traffic isn't being encrypted via TLS.
The reason why I use TLS origination is because I need to apply re-tries in my virtual service and I can only do this with HTTP routes as otherwise ISTIO cannot see request and work with it.
Been scratching my head for two days and need some help please :-)
I think it should work like so:
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: someservice-vs
spec:
hosts:
- someurl.somedomain.com
http:
- match:
- port: 80
route:
- destination:
host: someurl.somedomain.com
timeout: 40s
retries:
attempts: 10
perTryTimeout: 4s
retryOn: gateway-error,connect-failure,refused-stream,retriable-4xx,5xx
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: someservice-se
spec:
hosts:
- someurl.somedomain.com
location: MESH_EXTERNAL
ports:
- number: 80
protocol: HTTP
name: http
endpoints:
- address: someurl.somedomain.com
ports:
http: 443
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: someservice-destinationrule
spec:
host: someurl.somedomain.com
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
tls:
mode: SIMPLE # initiates HTTPS when accessing someurl.somedomain.comMake the ServiceEntry listen on port 80 but with the endpoint address pointing to port 443. Then the DestinationRule applies TLS for everything targeting port 80, which is eventually forwarded via the endpoints of the cluster to port 443.
Configuring TLS origination is documented here.
The configuration shown above is correct. Turns out the actual problem was caused by an insufficient timeout in the virtual service, not the TLS origination.
https://discuss.istio.io/t/can-i-route-http-traffic-as-https-to-an-external-service/489/8
Got to the bottom of this. ISTIO documentation was correct - TLS origination and retries work as expected.
The issue was caused by the perTryTimeout value which was too low. Requests were not completing in allocated time, so the gateway was timing out. It caught us out because the external service's performance has degraded recently and we didn't think to check it.