Egress - Gateway TLS Origination
takashi.kanazawaEgress - Gateway TLS Origination
Notes on the Istio KillerCoda scenario:
"https://killercoda.com/lorenzo-g/scenario/egress-gateways-tls-origination"
Check the Configured Traffic Policy Mode
You can check the configured traffic policy mode with the following command:
$ kubectl get -n istio-system istiooperators installed-state -o jsonpath={'.spec.meshConfig.outboundTrafficPolicy.mode'}; echo;
REGISTRY_ONLY
Create a Service Entry
Create a Service Entry resource in the default namespace named yahoo-ext to allow access to the host finance.yahoo.com over HTTP and HTTPS:
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: yahoo-ext
spec:
hosts:
- finance.yahoo.com
ports:
- number: 80
name: http
protocol: HTTP
- number: 443
name: https
protocol: HTTPS
resolution: DNS
location: MESH_EXTERNAL
Create an Istio Gateway
Create an Istio Gateway to allow egress HTTP traffic on port 80 for the host finance.yahoo.com:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: yahoo-egressgateway
spec:
selector:
istio: egressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- finance.yahoo.com
Create a DestinationRule
Create a DestinationRule resource in the default namespace named originate-tls-for-yahoo-com, containing a traffic policy with port-level settings to initiate HTTPS for connections to finance.yahoo.com:
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: originate-tls-for-yahoo-com
spec:
host: finance.yahoo.com
trafficPolicy:
portLevelSettings:
- port:
number: 443
tls:
mode: SIMPLE # Initiates HTTPS for connections to finance.yahoo.com
Create a VirtualService
In order to route finance.yahoo.com request traffic to the egress gateway created in the previous step, you need a VirtualService:
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: direct-yahoo-through-egress-gateway
spec:
hosts:
- finance.yahoo.com
gateways:
- yahoo-egressgateway
- mesh
http:
- match:
- gateways:
- mesh
port: 80
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
port:
number: 80
- match:
- gateways:
- yahoo-egressgateway
port: 80
route:
- destination:
host: finance.yahoo.com
port:
number: 443
Testing the Egress Gateway with TLS Origination
Test that the egress gateway resource configured with TLS Origination works correctly by making a request to finance.yahoo.com over HTTP:
$ kubectl exec tester -c tester -- > curl -sSL -o /dev/null -D - http://finance.yahoo.com/crypto | > grep HTTP/
HTTP/1.1 200 OK
Check the logs to verify the traffic:
$ kubectl logs -l istio=egressgateway -n istio-system | grep finance.yahoo.com | tail -n 2
[2024-09-05T02:55:01.640Z] "GET /crypto HTTP/2" 200 - via_upstream - "-" 0 1004407 2064 829 "192.168.1.6" "curl/7.88.1" "3370e5f1-9361-9765-a1dd-35be7b7fa9a8" "finance.yahoo.com" "27.123.42.204:443" outbound|443||finance.yahoo.com 192.168.1.5:54600 192.168.1.5:8080 192.168.1.6:52048 - -
[2024-09-05T02:55:08.290Z] "GET /crypto HTTP/2" 200 - via_upstream - "-" 0 1004407 1603 835 "192.168.1.6" "curl/7.88.1" "36457d20-ae30-9b22-89af-aba35577d7f1" "finance.yahoo.com" "27.123.43.204:443" outbound|443||finance.yahoo.com 192.168.1.5:59180 192.168.1.5:8080 192.168.1.6:52048 - -
Step-by-step Details:
-
Pod: The HTTP request from the Pod is sent to the
istio-egressgatewayfollowing the routing defined in theVirtualService. -
istio-egressgateway: The
istio-egressgatewayforwards the HTTP request to theyahoo-egressgateway, based on the routing rules defined in theVirtualService. -
yahoo-egressgateway: The
yahoo-egressgateway, following theDestinationRulefor TLS Origination, communicates withfinance.yahoo.comover HTTPS. This routing is also defined in theVirtualService. -
ServiceEntry: The
ServiceEntryallows traffic to flow from the Pod via HTTP and from the Egress Gateway via HTTPS tofinance.yahoo.com.
takashi.kanazawaAbout the port specified in the DestinationRule when performing TLS Origination
Egress - External services TLS origination:
The application communicates with the sidecar on port 80 (HTTP). In this scenario, the sidecar handles the TLS origination and communicates with the external service over HTTPS.
アプリケーションはサイドカーとポート80(HTTP)で通信します。このシナリオでは、サイドカーがTLS Originationを担当し、外部サービスとの通信はHTTPSで行われます。
The DestinationRule defines policies for the communication between the sidecar and the external service. The sidecar handles the conversion to HTTPS, and thus, the ServiceEntry should define the external service's target port as 443 (for HTTPS).
DestinationRuleではサイドカーと外部サービス間の通信ポリシーを定義します。サイドカーがHTTPSへの変換を行うため、ServiceEntryでは外部サービスのtargetPortを443(HTTPS用)として定義する必要があります。
-
DestinationRule:
Port 80for application-to-sidecar traffic. -
ServiceEntry: Specifies
targetPort 443for external services.
Egress - Gateway TLS Origination:
In this case, the Egress Gateway is responsible for converting HTTP traffic from inside the cluster to HTTPS before sending it to the external service.
この場合、Egress Gatewayがクラスター内からのHTTPトラフィックを外部サービスに送信する前にHTTPSに変換する役割を担います。
The DestinationRule specifies port 443, which is used by the Egress Gateway when sending traffic to the external service.
DestinationRuleでは、Egress Gatewayが外部サービスにトラフィックを送信する際に使用するポート443を指定します。
takashi.kanazawaThis scenario is based on the following Istio documentation.
It is likely that this document can also be referenced in the Istio Certified Associate (ICA) exam, so it's worth checking.