Reputation: 127
We use istio to use distributed tracing. Our microservices sometimes need to hit external APIs, which usually communicate over https.
To measure the exact performance of the whole system, we want to trace the communication when hitting an external API.
However, distributed tracing requires access to the header of the request, but https does not allow access because the header is encrypted.
For confirmation, I deployed bookinfo on GKE with istio enabled, entered the productpage container of the productpage pod, and executed the following command.
$ curl http://google.com
$ curl https://google.com
Only http communication was displayed on zipkin.
Is it possible to get a series of traces, including APIs that use external https?
Upvotes: 4
Views: 534
Reputation: 8840
Based on envoy documentation it doesn't support https tracing.
The tracing configuration specifies global settings for the HTTP tracer used by Envoy. The configuration is defined by the Bootstrap tracing field. Envoy may support other tracers in the future, but right now the HTTP tracer is the only one supported.
And this post on stackoverflow
HTTPS (HTTP over SSL) sends all HTTP content over a SSL tunel, so HTTP content and headers are encrypted as well.
I have even tried to reproduce that, but like in your case zipkin worked only for http.
Based on that I would say it's not possible to use zipkin to track https.
Upvotes: 1
Reputation: 30284
You should use egress-gateway. When all external calls go to the gateway, istio can get the metadata and does some tracing works. There are many advantages when using ingress/egress gateway:
Upvotes: 0