Egress Gateway not working for HTTPS Requests #45824
Unanswered
ChrisJBurns
asked this question in
Q&A
Replies: 2 comments
-
HTTPThe following are the http YAML's that work perfectly fine, it's just the https that doesn't work. ---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: cnn
namespace: istio-system
spec:
hosts:
- edition.cnn.com
ports:
- number: 80
name: http-port
protocol: HTTP
- number: 443
name: https
protocol: HTTPS
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: egress-gateway
namespace: istio-system
spec:
selector:
istio: egress-gateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- edition.cnn.com
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: egressgateway-for-cnn
namespace: infra
spec:
host: istio-egress-gateway.istio-system.svc.cluster.local
subsets:
- name: cnn
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: direct-cnn-through-egress-gateway
namespace: infra
spec:
hosts:
- edition.cnn.com
gateways:
- istio-system/egress-gateway
- mesh
http:
- match:
- gateways:
- mesh
port: 80
route:
- destination:
host: istio-egress-gateway.istio-system.svc.cluster.local
subset: cnn
port:
number: 80
weight: 100
- match:
- gateways:
- istio-system/egress-gateway
port: 80
route:
- destination:
host: edition.cnn.com
port:
number: 80
weight: 100 Although I still can't see anything in the routes config when I run [
{
"virtualHosts": [
{
"name": "backend",
"domains": [
"*"
],
"routes": [
{
"match": {
"prefix": "/stats/prometheus"
},
"route": {
"cluster": "prometheus_stats"
}
}
]
}
]
},
{
"virtualHosts": [
{
"name": "backend",
"domains": [
"*"
],
"routes": [
{
"match": {
"prefix": "/healthz/ready"
},
"route": {
"cluster": "agent"
}
}
]
}
]
}
] |
Beta Was this translation helpful? Give feedback.
0 replies
-
I'm seeing similar failures for my mTLS setup: |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Am running the following code and when I try to exec onto a pod (with a sidecar) within the infra namespace and run
curl -sSL -o /dev/null -D - https://edition.cnn.com/politics
, I getcurl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to edition.cnn.com:443
. Am following https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/#egress-gateway-for-https-trafficThe http traffic worked fine. But the https does not.
Here's my yamls
Istio version: 1.18
Is worth mentioning, it works when I add the
ServiceEntry
on it's own. But I get the curl error above when adding theGateway
,DestinationRule
andVirtualService
. Also the result ofistioctl pc routes $(kubectl get pods -l istio=egress-gateway -o jsonpath='{.items[0].metadata.name}' -n istio-system).istio-system -o json
is justBeta Was this translation helpful? Give feedback.
All reactions