New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Egress Gateways with TLS Origination AND TLS passthrough #23740
Comments
Okay, I think I have it working. Proposed update for the docs:
|
Thanks @justinkillen given this is solved, I will just close it for now. Feel free to reopen it. |
I feel like it would be beneficial to drop the networking and security tags, but leave it open as a docs issue. |
@justinkillen I am trying to accomplish the same thing, have the microservice establish an https connection through the egressgateway. i deployed the yaml you have above but when i try to test it i get the following error: wondering if you saw this while testing? Carls-MacBook-Pro:console-ui-jmeter-scripts carleastman$ kubectl exec -it workflow-api-6c7b7d4c8d-2znmt curl https://edition.cnn.com before applying the yaml that same curl from the pod worked. |
@ceastman-ibm can you provide envoy logs for the source pod proxy container and the egress pod proxy container? You'll need to enable envoy access logs if you don't already have them enabled. |
@justinkillen i got it figured out. |
@JimmyCYJ can we re-open this with only the Docs tag |
@nschhina has implemented the SDS based solution for egress gateway TLS/mTLS origination. The user guide is here https://preliminary.istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway-tls-origination-sds/. Could you follow this link the let us know if that solves the issue? |
@justinkillen I am reopening this per #23740 (comment) |
http request -> port 80 to 443 using Virtual Service is targetting to the 443 Listener we open on Egress Gateway using gateway API, just change VS rule from port 80 to 443 and then your request will be routed properly for 'https'. Does that make sense? This is not an issue with docs/feature and imo should stay closed. All Egress docs are now automated tested so there can't possible be a bug. cc: @JimmyCYJ |
@nschhina |
Bug description
In the article 'Egress Gateways with TLS Origination' (https://istio.io/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/), there is no consideration for https request from the client pod. Once the setup is complete, http request function correctly (e.g. 'http://edition.cnn.com/politics'), but https request hang for 3 minutes then times out:
In particular, note in the proxy log from the curl pod that direct connections are being attempted, which defeats the purpose of pushing traffic to a gateway.
[2020-05-12T01:17:22.147Z] "- - -" 0 - "-" "-" 517 0 300202 - "-" "-" "-" "-" "151.101.65.67:443" outbound|443||edition.cnn.com 172.25.69.92:52798 151.101.193.67:443 172.25.69.92:33354 edition.cnn.com -
Expected behavior
One of the primary use cases in my eyes for pushing TLS origination to a gateway (as opposed to in the client sidecar as in https://istio.io/docs/tasks/traffic-management/egress/egress-tls-origination/) is that it provides a chokepoint to enforce security policy. So, the expected behavior would be that outbound https connections are routed through the egress gateway utilizing TLS passthrough mode.
Steps to reproduce the bug
Follow the guide (section "Perform TLS origination with an egress gateway"), but in step 5 use https instead of http in the curl command.
Version (include the output of
istioctl version --remote
andkubectl version
andhelm version
if you used Helm)Helm not used
How was Istio installed?
Environment where bug was observed (cloud vendor, OS, etc)
AWS EKS 1.15, using AWS images for the worker nodes
The text was updated successfully, but these errors were encountered: