K
Q

Directing http traffic through an external proxy using istio

11/6/2019

We are running a bunch of microservices in a istio enabled kubernetes cluster. One of the microservice makes a call to an external service outside of the cluster and I need to route that particular call through the company proxy that is running also external to the cluster.

To explain a bit more, say, I set the HTTP_PROXY in the container and make the curl call to http://external.com the call is success as the call is routed through the proxy but I wanted the istio to do this routing through proxy transparently.

Eg. curl http://external.com from within the container then the istio should automatically route the http call via the company proxy and return back the response

I have created service entries for both external.com and proxy.com to make the call successful

-- Pradeep
istio
kubernetes

Similar Questions

Reference previously declared value in HELM values.yaml
How to neatly define an if conditional operation for a list of values in Helm template?
fluentd to elasticsearch via kubernetes-ingress
cronjob kubernetes expected behaviour with a application and a cloud proxy container
Kafka bootstrap broker disconnected after adding SSL (with debezium)
gRPC keepalive not working on alibaba ACK
I can't get a basic example of an Ingress service working

1 Answer

11/7/2019

If i understood right what You are looking for is Egress Gateway.

Here is part of tutorial for configuring external HTTPS proxy from Istio documentation:

Configure traffic to external HTTPS proxy

  1. Define a TCP (not HTTP!) Service Entry for the HTTPS proxy. Although applications use the HTTP CONNECT method to establish connections with HTTPS proxies, you must configure the proxy for TCP traffic, instead of HTTP. Once the connection is established, the proxy simply acts as a TCP tunnel.
   $ kubectl apply -f - <<EOF
   apiVersion: networking.istio.io/v1alpha3
   kind: ServiceEntry
   metadata:
     name: proxy
   spec:
     hosts:
     - my-company-proxy.com # ignored
     addresses:
     - $PROXY_IP/32
     ports:
     - number: $PROXY_PORT
       name: tcp
       protocol: TCP
     location: MESH_EXTERNAL
   EOF
  1. Send a request from the sleep pod in the default namespace. Because the sleep pod has a sidecar, Istio controls its traffic.
   $ kubectl exec -it $SOURCE_POD -c sleep -- sh -c "HTTPS_PROXY=$PROXY_IP:$PROXY_PORT curl https://en.wikipedia.org/wiki/Main_Page" | grep -o "<title>.*</title>"
   <title>Wikipedia, the free encyclopedia</title>
  1. Check the Istio sidecar proxy’s logs for your request:
   $ kubectl logs $SOURCE_POD -c istio-proxy
   [2018-12-07T10:38:02.841Z] "- - -" 0 - 702 87599 92 - "-" "-" "-" "-" "172.30.109.95:3128" outbound|3128||my-company-proxy.com 172.30.230.52:44478 172.30.109.95:3128 172.30.230.52:44476 -
  1. Check the access log of the proxy for your request:
   $ kubectl exec -it $(kubectl get pod -n external -l app=squid -o jsonpath={.items..metadata.name}) -n external -- tail -f /var/log/squid/access.log
   1544160065.248    228 172.30.109.89 TCP_TUNNEL/200 87633 CONNECT en.wikipedia.org:443 - HIER_DIRECT/91.198.174.192 -

Check out whole tutorial as it covers setup requirements and also has steps to simulate an external proxy so You can compare if it working as intended.

istio.io/docs/tasks/traffic-management/egress/http-proxy/

-- Piotr Malec
Source: StackOverflow