Zenn
Open2

Egress - External services TLS origination

Istio
killercoda
takashi.kanazawatakashi.kanazawa

Egress - External services TLS origination

Notes on the Istio KillerCoda scenario from the link below:
"https://killercoda.com/lorenzo-g/scenario/egress-external-services-tls-origination"

Configure service entry for HTTP and HTTPs traffic access

Task

Create a service entry resource in the default namespace named finance-yahoo-com to allow access to host finance.yahoo.com over HTTP and HTTPS, with the following properties:

Service Entry:

  • name: finance-yahoo-com
  • hosts: finance.yahoo.com
  • resolution: DNS
  • location: MESH_EXTERNAL

Service Entry Port 1:

  • number: 80
  • name: http-port
  • protocol: HTTP

ervice Entry Port 2:

  • number: 443
  • name: https-port
  • protocol: HTTPS

Answer

# Step 1: Verify the IstioOperator resource to ensure Istio is installed and running
# Check the IstioOperator resources; this confirms the Istio installation
controlplane $ kubectl get iop -n istio-system

# Step 2: Check the outbound traffic policy to confirm it is in REGISTRY_ONLY mode
# This command checks the outbound traffic policy mode (REGISTRY_ONLY) to understand if external services need to be explicitly allowed through ServiceEntry.
controlplane $ kubectl get iop installed-state -n istio-system -o jsonpath='{.spec.meshConfig.outboundTrafficPolicy.mode}'; echo

# Step 3: Verify that the ServiceEntry resource is available in your cluster
# This confirms that the ServiceEntry CRD is installed and available in the cluster.
# Check the correct apiVersion for the ServiceEntry resource to use in your YAML file.
controlplane $ kubectl api-resources | grep serviceen
serviceentries                      se           networking.istio.io/v1            true         ServiceEntry

# Step 4: Create the ServiceEntry YAML file to allow access to finance.yahoo.com
controlplane $ vi finance-yahoo-com-se.yaml

# Step 5: Apply the ServiceEntry definition in the YAML file
controlplane $ kubectl apply -f finance-yahoo-com-se.yaml
serviceentry.networking.istio.io/finance-yahoo-com configured

# Step 6: Test that the service entry resource configuration works correctly by making a request to the external finance.yahoo.com service over HTTP.
controlplane $ kubectl exec tester -c tester -- \
>   curl -sSL -o /dev/null -D - http://finance.yahoo.com/crypto | \
>   grep -e HTTP/ -e location; \
>   echo;
HTTP/1.1 301 Moved Permanently
location: https://finance.yahoo.com/crypto
HTTP/2 200


# finance-yahoo-com-se.yaml
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: finance-yahoo-com
  namespace: default
spec:
  hosts:
  - finance.yahoo.com
  resolution: DNS
  location: MESH_EXTERNAL
  ports:
  - number: 80
    name: http-port
    protocol: HTTP
  - number: 443
    name: https-port
    protocol: HTTPS

Configure service entry to redirect HTTP traffic to HTTPs

Task

Update the service entry resource named finance-yahoo-com previously created, to automatically redirect any HTTP traffic to HTTPs using target port 443 in the http-port service entry port using a targetPort property.

Configure the finance-yahoo-com service entry with the following properties:

service entry:
name: finance-yahoo-com
hosts: finance.yahoo.com
resolution: DNS
location: MESH_EXTERNAL

service entry port 1:
number: 80
name: http-port
protocol: HTTP
target port: 443

service entry port 2:
number: 443
name: https-port
protocol: HTTPS

Answer

controlplane $ vi finance-yahoo-com-se.yaml 
controlplane $ kubectl apply -f finance-yahoo-com-se.yaml 
serviceentry.networking.istio.io/finance-yahoo-com configured

# finance-yahoo-com-se.yaml 
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: finance-yahoo-com
spec:
  hosts:
  - finance.yahoo.com
  resolution: DNS
  location: MESH_EXTERNAL
  ports:
  - number: 80
    name: http-port
    protocol: HTTP
    targetPort: 443 # add
  - number: 443
    name: https-port
    protocol: HTTPS

Configure destination rule TLS origination

Task

Create a DestinationRule named finance-yahoo-com in the default namespace and configure it to perform TLS origination for HTTP requests to finance.yahoo.com using a TrafficPolicy.

Configure the destination rule resource with the following properties:

destination rule:
name: finance-yahoo-com
namespace: default
host: finance.yahoo.com

traffic policy port level settings:
port number: 80
tls mode: SIMPLE

Answer

controlplane $ k api-resources | grep desti
destinationrules                    dr           networking.istio.io/v1beta1       true         DestinationRule

controlplane $ vi finance-yahoo-com-dr.yaml
controlplane $ kubectl apply -f finance-yahoo-com-dr.yaml
destinationrule.networking.istio.io/finance-yahoo-com created

controlplane $ kubectl exec tester -c tester -- \
>   curl -sS -o /dev/null -D - http://finance.yahoo.com/crypto | \
>   grep -e HTTP/ -e location; \
>   echo;
HTTP/1.1 200 OK

# finance-yahoo-com-dr.yaml
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: finance-yahoo-com
spec:
  host: finance.yahoo.com
  trafficPolicy:
    portLevelSettings:
    - port:
        number: 80
      tls:
        mode: SIMPLE # initiates HTTPS when accessing finance.yahoo.com
takashi.kanazawatakashi.kanazawa

When accessing http://finance.yahoo.com/crypto, the server automatically redirects to https, causing twice the latency compared to directly accessing https. To prevent this, you can configure DestinationRule and ServiceEntry to set up TLS origination for external services, thereby changing http access to https.