Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add back rewrite authority in destination headers section #34181

Open
howardjohn opened this issue Jul 20, 2021 · 4 comments
Open

Add back rewrite authority in destination headers section #34181

howardjohn opened this issue Jul 20, 2021 · 4 comments
Labels
area/networking kind/enhancement lifecycle/staleproof Indicates a PR or issue has been deemed to be immune from becoming stale and/or automatically closed
Projects
Prioritization
Milestone
1.12

Comments

@howardjohn
Copy link
Member

This is possible now that we have envoyproxy/envoy#16775. Need to be careful to only set this on newer envoys.
@howardjohn howardjohn mentioned this issue Jul 20, 2021
Closed
@howardjohn howardjohn added this to the 1.12 milestone Sep 23, 2021
@howardjohn howardjohn added this to P2 in Prioritization Sep 23, 2021
@istio-policy-bot istio-policy-bot added the lifecycle/stale Indicates a PR or issue hasn't been manipulated by an Istio team member for a while label Jan 17, 2022
Prioritization automation moved this from P2 to Done Feb 1, 2022
@istio-policy-bot istio-policy-bot added the lifecycle/automatically-closed Indicates a PR or issue that has been closed automatically. label Feb 1, 2022
@howardjohn howardjohn added lifecycle/staleproof Indicates a PR or issue has been deemed to be immune from becoming stale and/or automatically closed and removed lifecycle/stale Indicates a PR or issue hasn't been manipulated by an Istio team member for a while lifecycle/automatically-closed Indicates a PR or issue that has been closed automatically. labels Feb 1, 2022
@howardjohn
Copy link
Member Author

Still relevant

@howardjohn howardjohn reopened this Feb 1, 2022
@jwineinger
Copy link

Just confirming, it does seem like this is still an issue. We are unable to rewrite authority via the actual rewrite block or setting the request header on a virtualservice.

@howardjohn
Copy link
Member Author 

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: reviews-route
spec:
  hosts:
  - echo
  http:
  - route:
    - destination:
        host: echo
      headers:
        request:
          set:
            Host: foo

seems to work in 1.17, can you show the config you are using

@davegustafson
Copy link

davegustafson commented Mar 28, 2023
edited

@howardjohn I work with @jwineinger and can provide some examples and context.

We are trying to use a ServiceEntry to create a short one-word alias for a destination service. But the destination will only accept requests when the host header is set to the cluster FQDN. So we want to use a VirtualService to transform the short alias to the FQDN before the request reaches the destination.

Here's a minimum proof-of-concept that demonstrates the issue we're having followed by example output from a couple of commands. In the PoC here I'm running an httpbin container as the destination service so we can easily see the request headers.

apiVersion: v1
kind: Namespace
metadata:
  name: source
  labels:
    istio-injection: enabled
---
apiVersion: v1
kind: Namespace
metadata:
  name: destination
  labels:
    istio-injection: enabled
---
apiVersion: v1
kind: Pod
metadata:
  name: source
  namespace: source
spec:
  containers:
  - name: app
    image: alpine:latest
    imagePullPolicy: IfNotPresent
    command: [ "/bin/sh", "-c", "--" ]
    args: [ "while true; do sleep 3600; done;" ]
---
apiVersion: v1
kind: Pod
metadata:
  name: destination
  namespace: destination
  labels:
    app: destination
spec:
  containers:
  - name: app
    image: kong/httpbin:latest
    imagePullPolicy: IfNotPresent
---
apiVersion: v1
kind: Service
metadata:
  name: destination
  namespace: destination
spec:
  type: ClusterIP
  selector:
    app: destination
  ports:
  - name: http-destination
    port: 80
    protocol: TCP
    targetPort: 80
---
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: alias
  namespace: destination
spec:
  exportTo:
  - '*'
  hosts:
  - alias
  endpoints:
  - address: destination.destination.svc.cluster.local
  ports:
  - name: http
    number: 80
    protocol: HTTP
  resolution: DNS
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: alias
  namespace: destination
spec:
  exportTo:
  - '*'
  http:
  - route:
    - destination:
        host: alias
      headers:
        request:
          set:
            Host: destination.destination.svc.cluster.local

$ kubectl exec -n source pod/source -c app -- wget http://destination.destination.svc.cluster.local/headers -q -O-
{
  "headers": {
    "Host": "destination.destination.svc.cluster.local",
    "User-Agent": "Wget",
    ...
  }
}

In this second command, I would expect the host header to be rewritten to the destination FQDN, but it is not:

$ kubectl exec -n source pod/source -c app -- wget http://alias/headers -q -O-
{
  "headers": {
    "Host": "alias",
    "User-Agent": "Wget",
    ...
  }
}

Maybe we have something misconfigured in our global config? I tested this with Istio 1.17.1. In the VirtualService, I've also tried setting the destination to the full FQDN instead of the alias, but that made no difference.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/networking kind/enhancement lifecycle/staleproof Indicates a PR or issue has been deemed to be immune from becoming stale and/or automatically closed
Projects
Prioritization
Done
Milestone
1.12
Development

No branches or pull requests
4 participants
@jwineinger @howardjohn @davegustafson @istio-policy-bot