External ServiceEntry with HTTPS protocol appears as TCP

[josejulio]

Bug description

Affected product area (please put an X in all that apply)

[ ] Configuration Infrastructure
[ ] Docs
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[X] Policies and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastrcture

Expected behavior

Data is expected in istio_requests_total when using a ServiceEntry with protocol = HTTPS, instead i only see data in istio_tcp_sent_bytes_total

This seems true for protocol=HTTP

Steps to reproduce the bug

1. Create a ServiceEntry using a protocol=HTTPS

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: google
spec:
  location: MESH_EXTERNAL
  hosts:
    - "www.google.com"
  ports:
    - number: 443
      name: https
      protocol: HTTPS
  resolution: DNS

2. Connect to a pod in the mesh and start sending data to the host

istiooc exec -it $POD  -c $CONTAINER -- sh
watch 'curl -v   https://www.google.com'

3. Verify that no data regarding this ServiceEntry is added to istio_requests_total

Using HTTP does seem to add the data to istio_requests_total

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: www-httpvshttps
spec:
  location: MESH_EXTERNAL
  hosts:
    - "www.httpvshttps.com"
  ports:
    - number: 80
      name: http
      protocol: HTTP
  resolution: DNS

Version (include the output of istioctl version --remote and kubectl version)

$ istioctl version --remote
client version: version.BuildInfo{Version:"1.1.3", GitRevision:"d19179769183541c5db473ae8d062ca899abb3be", User:"root", Host:"fbd493e1-5d72-11e9-b00d-0a580a2c0205", GolangVersion:"go1.10.4", DockerHub:"docker.io/istio", BuildStatus:"Clean", GitTag:"1.1.2-56-gd191797"}
citadel version: version.BuildInfo{Version:"0.11.0-6", GitRevision:"74878c5d0f82e501871ab6302fd69e323e47f116", User:"redhat", Host:"redhat", GolangVersion:"go1.10.3", DockerHub:"docker.io/maistra", BuildStatus:"Clean", GitTag:"unknown"}
egressgateway version: version.BuildInfo{Version:"0.11.0-6", GitRevision:"74878c5d0f82e501871ab6302fd69e323e47f116", User:"redhat", Host:"redhat", GolangVersion:"go1.10.3", DockerHub:"docker.io/maistra", BuildStatus:"Clean", GitTag:"unknown"}
galley version: version.BuildInfo{Version:"0.11.0-6", GitRevision:"74878c5d0f82e501871ab6302fd69e323e47f116", User:"redhat", Host:"redhat", GolangVersion:"go1.10.3", DockerHub:"docker.io/maistra", BuildStatus:"Clean", GitTag:"unknown"}
ingressgateway version: version.BuildInfo{Version:"0.11.0-6", GitRevision:"74878c5d0f82e501871ab6302fd69e323e47f116", User:"redhat", Host:"redhat", GolangVersion:"go1.10.3", DockerHub:"docker.io/maistra", BuildStatus:"Clean", GitTag:"unknown"}
pilot version: version.BuildInfo{Version:"0.11.0-6", GitRevision:"74878c5d0f82e501871ab6302fd69e323e47f116", User:"redhat", Host:"redhat", GolangVersion:"go1.10.3", DockerHub:"docker.io/maistra", BuildStatus:"Clean", GitTag:"unknown"}
policy version: version.BuildInfo{Version:"0.11.0-6", GitRevision:"74878c5d0f82e501871ab6302fd69e323e47f116", User:"redhat", Host:"redhat", GolangVersion:"go1.10.3", DockerHub:"docker.io/maistra", BuildStatus:"Clean", GitTag:"unknown"}
sidecar-injector version: version.BuildInfo{Version:"0.11.0-6", GitRevision:"74878c5d0f82e501871ab6302fd69e323e47f116", User:"redhat", Host:"redhat", GolangVersion:"go1.10.3", DockerHub:"docker.io/maistra", BuildStatus:"Clean", GitTag:"unknown"}
telemetry version: version.BuildInfo{Version:"0.11.0-6", GitRevision:"74878c5d0f82e501871ab6302fd69e323e47f116", User:"redhat", Host:"redhat", GolangVersion:"go1.10.3", DockerHub:"docker.io/maistra", BuildStatus:"Clean", GitTag:"unknown"}

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.7", GitCommit:"0c38c362511b20a098d7cd855f1314dad92c2780", GitTreeState:"clean", BuildDate:"2018-08-20T10:09:03Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"11+", GitVersion:"v1.11.0+d4cacc0", GitCommit:"d4cacc0", GitTreeState:"clean", BuildDate:"2019-06-14T18:41:57Z", GoVersion:"go1.10.8", Compiler:"gc", Platform:"linux/amd64"}
istiooc version
oc v3.11.0+maistra-0.11.0+f2e7517
kubernetes v1.11.0+d4cacc0
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://127.0.0.1:8443
kubernetes v1.11.0+d4cacc0

How was Istio installed?

Using istiooc

Environment where bug was observed (cloud vendor, OS, etc)

Fedora 29

Additionally, please consider attaching a cluster state archive by attaching
the dump file to this issue.

[hzxuzhonghu]

For https, it is converted to tcp

[josejulio]

For https, it is converted to tcp

Is this a limitation? Are there plans to have https traffic to store time-series for istio_requests?

[hzxuzhonghu]

envoy can not do tls termination(can be done in gateway) without configuring certs.

[josejulio]

Is possible to have these metrics filled?
I would like to know e.g. the number of request made to https://api.dropboxapi.com
Do i need to configure a Gateway? Could you point me to a sample if there is already one?
Thanks!

[hzxuzhonghu]

If you want metrics like the number of request, you can setup a egress gateway in theory, but this is too complicated i think. Take a look at the egress gateway https://istio.io/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/

[josejulio]

If you want metrics like the number of request, you can setup a egress gateway in theory, but this is too complicated i think. Take a look at the egress gateway https://istio.io/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/

Thanks for the info, do you think that in the future HTTPS requests (for external ServiceEntry) are going to fill istio_requests_total by default?

[hzxuzhonghu]

I donot think we can make it. because https requests are encrypted, envoy receives only tcp traffic and proxy it .

[howardjohn]

Thanks for the explanation @hzxuzhonghu, as mentioned it seems this is working as intended, and you can use an egressgateway to get around this if needed. It doesn't seem like there is any work needed here - if so please reopen/create a new issue. Thank!