K
Q

istio - tracing egress traffic

5/18/2019

I installed Istio with

gateways.istio-egressgateway.enabled = true

I have a service that consumes external services, so I define the following egress rule.

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: external-service1
spec:
  hosts:
  - external-service1.com
  ports:
  - number: 80
    name: http
    protocol: HTTP
  - number: 443
    name: https
    protocol: HTTPS
  resolution: DNS
  location: MESH_EXTERNAL

But using Jaeger I can not see the traffic to the external service, and thus be able to detect problems in the network.

I'm forwarding the appropriate headers to the external service (x-request-id, x-b3-traceid, x-b3-spanid, b3-parentspanid, x-b3-sampled, x-b3-flags, x-ot-span-context)

Is this the correct behavior? what is happening? Can I only have statistics of internal calls? How can I have statistics for egress traffic?

-- user60108
istio
jaeger
kubernetes

Similar Questions

spring zuul gateway in kubernetes
Minikube start stuck in waiting for pods and timeout
Using Horizontal Pod Autoscaling along with resource requests and limits
How to know when a Service is created?
Kubernetes master minion ingress not working
How to authenticate multiple Azure Apps against oauth2_proxy in Kubernetes
Access MySQL Single-Instance Kubernetes Deployment

1 Answer

6/5/2019

Assuming that your services are defined in Istio’s internal service registry. If not please configure it according to instruction service-defining.

In HTTPS all the HTTP-related information like method, URL path, response code, is encrypted so Istio cannot see and cannot monitor that information for HTTPS. If you need to monitor HTTP-related information in access to external HTTPS services, you may want to let your applications issue HTTP requests and configure Istio to perform TLS origination.

First you have to redefine your ServiceEntry and create VirtualService to rewrite the HTTP request port and add a DestinationRule to perform TLS origination.

kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: external-service1
spec:
  hosts:
  - external-service1.com
  ports:
  - number: 80
    name: http-port
    protocol: HTTP
  - number: 443
    name: http-port-for-tls-origination
    protocol: HTTP
  resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: external-service1
spec:
  hosts:
  - external-service1.com
  http:
  - match:
    - port: 80
    route:
    - destination:
        host: external-service1.com
        port:
          number: 443
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: external-service1
spec:
  host: external-service1.com
  trafficPolicy:
    loadBalancer:
      simple: ROUND_ROBIN
    portLevelSettings:
    - port:
        number: 443
      tls:
        mode: SIMPLE # initiates HTTPS when accessing external-service1.com
EOF

The VirtualService redirects HTTP requests on port 80 to port 443 where the corresponding DestinationRule then performs the TLS origination. Unlike the previous ServiceEntry, this time the protocol on port 443 is HTTP, instead of HTTPS, because clients will only send HTTP requests and Istio will upgrade the connection to HTTPS.

I hope it helps.

-- MaggieO
Source: StackOverflow