New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
serviceentry / virtual service not work when target to outside server. #50997
Comments
Error log: |
what is the gateway created and xds configuration generated? |
Hi @hzxuzhonghu
Attached is the config_dump for |
Here is log when api is invoked:
|
|
i can not even searched |
@hzxuzhonghu , I cannot find also previously. Maybe I got from wrong pod, or others... Sorry for the confusion. This time I put everything in istio-system, and test with another ingress gateway. as below.
|
Here is test and full log for ingress gateway container, include container start and error during api call. FYI
|
Note that I have not installed |
Egress gateway is not a must, actually ingress gateway Can act as egress gateway too if you want. |
Thanks very much. @hzxuzhonghu . Here is background for my try: Appreciate your support. |
@howardjohn Can you also help to take a look, thanks a lot. |
I doubt if this is caused by |
Thanks so much! @howardjohn |
@hzxuzhonghu , you are completely right.
$ curl https://httpbin443-onecloudsol-dev.web.dev-sol-us.hponecloud.io/ip |
are you really using httpbin in your tests or something else? I don't see why httpbin would fail to verify.. |
Yes, I am using httpbin, actually the code is exact as #50997 (comment) |
Thanks so much @hzxuzhonghu @howardjohn Or, we can improve in istio code directly? like, add a flag similar with insecureSkipVerify, called "removeOutbound" in destinationrule. Then change the Appreciate your comments. |
Previoulsy we do not verify, this is now changed by VERIFY_CERTIFICATE_AT_CLIENT, you can tune it to false, i believe it can also work foryou, so you donot need a envoyfilter to do that |
Thanks. Close this issue. |
Full reproducer: apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: httpbin
namespace: istio-system
spec:
hosts:
- httpbin.org
ports:
- number: 80
name: http
protocol: HTTP
targetPort: 443
resolution: DNS
location: MESH_EXTERNAL
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: originate-tls
namespace: istio-system
spec:
host: httpbin.org
trafficPolicy:
tls:
mode: SIMPLE
sni: httpbin.org # DOES FIX IT
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin-ext
namespace: istio-system
spec:
gateways:
- istio-system/web-gateway
hosts:
- httpbin443-onecloudsol-dev.web.dev-sol-us.hponecloud.io
http:
- timeout: 3s
rewrite:
authority: httpbin.org # DOES NOT FIX IT
route:
- destination:
host: httpbin.org
weight: 100
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: web-gateway
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
--- A few questions here...
|
@leosarra could you please take a look at this? |
Sure I will |
@johnzheng1975 Could you please try with what John Howard mentioned above to have the hardcoded SNI in Destination�Rule? If that works, you don't need turn on My team is doing exactly what you are trying to achieve and we have hardcoded SNI in all external endpoints' destination rule. It works well from Istio 1.15 to Istio 1.19. We didn't maintain any clusters with Istio >= 1.20 yet though. |
Is this the right place to submit this?
Bug Description
I need let ingress gateway as a proxy, for outside domain. It works for http://httpbin.org, but cannot work for https://.
(mtls is set strict in cluster)
Happy case
Fail case 1 for https:
Fail case 2 for https:
Version
Additional Information
mtls is enabled with strict
The text was updated successfully, but these errors were encountered: