We want to to route https traffic to an https endpoint using Istio Ingress Gateway.

We terminate the TLS traffic at the Ingress Gateway, but our backend service uses https as well.

I have the following manifests:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: datalake-dsodis-istio-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - "gw-hdfs-spark.dsodis.domain"
    - "spark-history.dsodis.domain"
    port:
      name: https-wildcard
      number: 443
      protocol: HTTPS
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: gw-spark-history-istio-vs
spec:
  gateways:
  - default/datalake-dsodis-istio-gateway
  hosts:
  - "spark-history.dsodis.domain"
  http:
    - match:
      - uri:
          prefix: /
      route:
        - destination:
            host: gateway-svc-clusterip.our_application_namespace.svc.cluster.local
            port:
              number: 8443

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: originate-tls-for-spark-history
spec:
  host: gateway-svc-clusterip.our_application_namespace.svc.cluster.local
  trafficPolicy:
    loadBalancer:
      simple: ROUND_ROBIN
    portLevelSettings:
    - port:
        number: 8443 
      tls:
        mode: SIMPLE

The problem is most likely, that we are sending TLS terminated traffic, (so to say) HTTP traffic, to the HTTPS backend. Therefore we might get 503 Service Unavailable when accessing the service through Istio.

The command accessing it is:

curl -vvvv -H"Host: spark-history.dsodis.domain" --resolve "spark-history.dsodis.domain:31390:IP" https://spark-history.dsodis.domain:31390/gateway/default/sparkhistory  -k

My question is, how can I tell Istio to route traffic to the backend service using https?

Thanks in advance.

Best regards, rforberger