Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

External ServiceEntry with HTTPS protocol appears as TCP #14933

Closed
josejulio opened this issue Jun 17, 2019 · 8 comments

Comments

@josejulio
Copy link

@josejulio josejulio commented Jun 17, 2019

Bug description

Affected product area (please put an X in all that apply)

[ ] Configuration Infrastructure
[ ] Docs
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[X] Policies and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastrcture

Expected behavior

Data is expected in istio_requests_total when using a ServiceEntry with protocol = HTTPS, instead i only see data in istio_tcp_sent_bytes_total

This seems true for protocol=HTTP

Steps to reproduce the bug

  1. Create a ServiceEntry using a protocol=HTTPS
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: google
spec:
  location: MESH_EXTERNAL
  hosts:
    - "www.google.com"
  ports:
    - number: 443
      name: https
      protocol: HTTPS
  resolution: DNS
  1. Connect to a pod in the mesh and start sending data to the host
istiooc exec -it $POD  -c $CONTAINER -- sh
watch 'curl -v   https://www.google.com'
  1. Verify that no data regarding this ServiceEntry is added to istio_requests_total

Using HTTP does seem to add the data to istio_requests_total

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: www-httpvshttps
spec:
  location: MESH_EXTERNAL
  hosts:
    - "www.httpvshttps.com"
  ports:
    - number: 80
      name: http
      protocol: HTTP
  resolution: DNS

Version (include the output of istioctl version --remote and kubectl version)

$ istioctl version --remote
client version: version.BuildInfo{Version:"1.1.3", GitRevision:"d19179769183541c5db473ae8d062ca899abb3be", User:"root", Host:"fbd493e1-5d72-11e9-b00d-0a580a2c0205", GolangVersion:"go1.10.4", DockerHub:"docker.io/istio", BuildStatus:"Clean", GitTag:"1.1.2-56-gd191797"}
citadel version: version.BuildInfo{Version:"0.11.0-6", GitRevision:"74878c5d0f82e501871ab6302fd69e323e47f116", User:"redhat", Host:"redhat", GolangVersion:"go1.10.3", DockerHub:"docker.io/maistra", BuildStatus:"Clean", GitTag:"unknown"}
egressgateway version: version.BuildInfo{Version:"0.11.0-6", GitRevision:"74878c5d0f82e501871ab6302fd69e323e47f116", User:"redhat", Host:"redhat", GolangVersion:"go1.10.3", DockerHub:"docker.io/maistra", BuildStatus:"Clean", GitTag:"unknown"}
galley version: version.BuildInfo{Version:"0.11.0-6", GitRevision:"74878c5d0f82e501871ab6302fd69e323e47f116", User:"redhat", Host:"redhat", GolangVersion:"go1.10.3", DockerHub:"docker.io/maistra", BuildStatus:"Clean", GitTag:"unknown"}
ingressgateway version: version.BuildInfo{Version:"0.11.0-6", GitRevision:"74878c5d0f82e501871ab6302fd69e323e47f116", User:"redhat", Host:"redhat", GolangVersion:"go1.10.3", DockerHub:"docker.io/maistra", BuildStatus:"Clean", GitTag:"unknown"}
pilot version: version.BuildInfo{Version:"0.11.0-6", GitRevision:"74878c5d0f82e501871ab6302fd69e323e47f116", User:"redhat", Host:"redhat", GolangVersion:"go1.10.3", DockerHub:"docker.io/maistra", BuildStatus:"Clean", GitTag:"unknown"}
policy version: version.BuildInfo{Version:"0.11.0-6", GitRevision:"74878c5d0f82e501871ab6302fd69e323e47f116", User:"redhat", Host:"redhat", GolangVersion:"go1.10.3", DockerHub:"docker.io/maistra", BuildStatus:"Clean", GitTag:"unknown"}
sidecar-injector version: version.BuildInfo{Version:"0.11.0-6", GitRevision:"74878c5d0f82e501871ab6302fd69e323e47f116", User:"redhat", Host:"redhat", GolangVersion:"go1.10.3", DockerHub:"docker.io/maistra", BuildStatus:"Clean", GitTag:"unknown"}
telemetry version: version.BuildInfo{Version:"0.11.0-6", GitRevision:"74878c5d0f82e501871ab6302fd69e323e47f116", User:"redhat", Host:"redhat", GolangVersion:"go1.10.3", DockerHub:"docker.io/maistra", BuildStatus:"Clean", GitTag:"unknown"}
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.7", GitCommit:"0c38c362511b20a098d7cd855f1314dad92c2780", GitTreeState:"clean", BuildDate:"2018-08-20T10:09:03Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"11+", GitVersion:"v1.11.0+d4cacc0", GitCommit:"d4cacc0", GitTreeState:"clean", BuildDate:"2019-06-14T18:41:57Z", GoVersion:"go1.10.8", Compiler:"gc", Platform:"linux/amd64"}
istiooc version
oc v3.11.0+maistra-0.11.0+f2e7517
kubernetes v1.11.0+d4cacc0
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://127.0.0.1:8443
kubernetes v1.11.0+d4cacc0

How was Istio installed?

Using istiooc

Environment where bug was observed (cloud vendor, OS, etc)

Fedora 29

Additionally, please consider attaching a cluster state archive by attaching
the dump file to this issue.

@hzxuzhonghu

This comment has been minimized.

Copy link
Member

@hzxuzhonghu hzxuzhonghu commented Jun 18, 2019

For https, it is converted to tcp

@josejulio

This comment has been minimized.

Copy link
Author

@josejulio josejulio commented Jun 18, 2019

For https, it is converted to tcp

Is this a limitation? Are there plans to have https traffic to store time-series for istio_requests?

@hzxuzhonghu

This comment has been minimized.

Copy link
Member

@hzxuzhonghu hzxuzhonghu commented Jun 19, 2019

envoy can not do tls termination(can be done in gateway) without configuring certs.

@josejulio

This comment has been minimized.

Copy link
Author

@josejulio josejulio commented Jun 19, 2019

Is possible to have these metrics filled?
I would like to know e.g. the number of request made to https://api.dropboxapi.com
Do i need to configure a Gateway? Could you point me to a sample if there is already one?
Thanks!

@hzxuzhonghu

This comment has been minimized.

Copy link
Member

@hzxuzhonghu hzxuzhonghu commented Jun 20, 2019

If you want metrics like the number of request, you can setup a egress gateway in theory, but this is too complicated i think. Take a look at the egress gateway https://istio.io/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/

@josejulio

This comment has been minimized.

Copy link
Author

@josejulio josejulio commented Jun 20, 2019

If you want metrics like the number of request, you can setup a egress gateway in theory, but this is too complicated i think. Take a look at the egress gateway https://istio.io/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/

Thanks for the info, do you think that in the future HTTPS requests (for external ServiceEntry) are going to fill istio_requests_total by default?

@hzxuzhonghu

This comment has been minimized.

Copy link
Member

@hzxuzhonghu hzxuzhonghu commented Jun 21, 2019

I donot think we can make it. because https requests are encrypted, envoy receives only tcp traffic and proxy it .

@howardjohn

This comment has been minimized.

Copy link
Member

@howardjohn howardjohn commented Aug 26, 2019

Thanks for the explanation @hzxuzhonghu, as mentioned it seems this is working as intended, and you can use an egressgateway to get around this if needed. It doesn't seem like there is any work needed here - if so please reopen/create a new issue. Thank!

@howardjohn howardjohn closed this Aug 26, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.