Can envoy in istio trace external https api?

Question

We use istio to use distributed tracing. Our microservices sometimes need to hit external APIs, which usually communicate over https.

To measure the exact performance of the whole system, we want to trace the communication when hitting an external API.
However, distributed tracing requires access to the header of the request, but https does not allow access because the header is encrypted.
For confirmation, I deployed bookinfo on GKE with istio enabled, entered the productpage container of the productpage pod, and executed the following command.

$ curl http://google.com
$ curl https://google.com

Only http communication was displayed on zipkin.

Is it possible to get a series of traces, including APIs that use external https?

Answer 1

Based on envoy documentation it doesn't support https tracing.

The tracing configuration specifies global settings for the HTTP tracer used by Envoy. The configuration is defined by the Bootstrap tracing field. Envoy may support other tracers in the future, but right now the HTTP tracer is the only one supported.

And this post on stackoverflow

HTTPS (HTTP over SSL) sends all HTTP content over a SSL tunel, so HTTP content and headers are encrypted as well.

I have even tried to reproduce that, but like in your case zipkin worked only for http.

Based on that I would say it's not possible to use zipkin to track https.

Answer 2

You should use egress-gateway. When all external calls go to the gateway, istio can get the metadata and does some tracing works. There are many advantages when using ingress/egress gateway:

• Increasing security: We can set up all security rules at the gateway.
• Abstraction the application logic: Instead of configuring settings at each microservices.
• TLS processing: Like the above example, envoy can have all the necessary data in HTTPS requests.