Reputation: 5930
How to configure Istio Virtual Service destination protocol
How can I configure Istio VirtualService to route traffic to a destination backend that listens on HTTPS?
configuring protocol: HTTPS or scheme: HTTPS didn't work.
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: api-rpi-access
spec:
hosts:
- "test.example.com"
gateways:
- api-gateway
http:
- match:
- uri:
port: https
prefix: /
route:
- destination:
host: some-https-service
port:
number: 8443
protocol: HTTPS
# scheme: HTTPS
Here is my gateway:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: api-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
hosts:
- "test.example.com"
Upvotes: 3
Views: 16258
Answers (3)
Reputation: 5930
In order to perform the TLS termination on istio-ingressgateway and send https traffic to the backend, I had to add the following DestinationRule
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: some-https-service
spec:
host: diary
trafficPolicy:
tls:
mode: SIMPLE
here are the yamls for Gateway and VirtualService:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: api-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
hosts:
- "test.example.com"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ext-access
spec:
hosts:
- "test.example.com"
gateways:
- api-gateway
http:
- match:
- uri:
port: https
prefix: /
route:
- destination:
host: some-https-service
port:
number: 8443
Upvotes: 6
Reputation: 129
Have you got a destination rule setup also, as an example:
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: dr-test.example.com
spec:
host: test.example.com
trafficPolicy: # Apply to all ports
portLevelSettings:
- port:
number: 443
loadBalancer:
simple: LEAST_CONN
some good information on istio routing
Upvotes: 3
Reputation: 3667
Currently Your gateway is configured to Terminate TLS on gateway. Your VirtualService also needs little modifications.
You need to change Your TLS mode of Your gateway to Passthrough.
tls:
mode: PASSTHROUGH
According to istio documentation:
- Define a
Gatewaywith aserversection for port 443. Note thePASSTHROUGHTLS mode which instructs the gateway to pass the ingress traffic AS IS, without terminating TLS.apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: mygateway spec: selector: istio: ingressgateway # use istio default ingress gateway servers: - port: number: 443 name: https protocol: HTTPS tls: mode: PASSTHROUGH hosts: - nginx.example.com
- Configure routes for traffic entering via the
Gateway:apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: nginx spec: hosts: - nginx.example.com gateways: - mygateway tls: - match: - port: 443 sniHosts: - nginx.example.com route: - destination: host: my-nginx port: number: 443
Hope it helps.
Upvotes: 3
Related Questions
- How can I Port Forward to an istio VirtualService?
- Istio VirtualService Networking outside of cluster
- Expose services via Istio ingress gateway
- Using Istio VirtualService from inside of the cluster
- How to config istio virtualservice to do tcp traffic between 2 pods?
- How to configure ingress gateway in istio?
- Istio - Expose virtualservices through gateway
- How to configure Istio's virtualservice for a service which exposes multiple ports?
- Istio on Kubernetes: pod to service communication doesn't work
- Istio Egresses with Kubernetes Services