Search code examples
kuberneteshttpsistio

Istio Ingress Gateway with TLS termination returning 503 service unavailable

We want to to route https traffic to an https endpoint using Istio Ingress Gateway.

We terminate the TLS traffic at the Ingress Gateway, but our backend service uses https as well.

I have the following manifests:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: datalake-dsodis-istio-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - "gw-hdfs-spark.dsodis.domain"
    - "spark-history.dsodis.domain"
    port:
      name: https-wildcard
      number: 443
      protocol: HTTPS
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: gw-spark-history-istio-vs
spec:
  gateways:
  - default/datalake-dsodis-istio-gateway
  hosts:
  - "spark-history.dsodis.domain"
  http:
    - match:
      - uri:
          prefix: /
      route:
        - destination:
            host: gateway-svc-clusterip.our_application_namespace.svc.cluster.local
            port:
              number: 8443

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: originate-tls-for-spark-history
spec:
  host: gateway-svc-clusterip.our_application_namespace.svc.cluster.local
  trafficPolicy:
    loadBalancer:
      simple: ROUND_ROBIN
    portLevelSettings:
    - port:
        number: 8443 
      tls:
        mode: SIMPLE

The problem is most likely, that we are sending TLS terminated traffic, (so to say) HTTP traffic, to the HTTPS backend. Therefore we might get 503 Service Unavailable when accessing the service through Istio.

The command accessing it is:

curl -vvvv -H"Host: spark-history.dsodis.domain" --resolve "spark-history.dsodis.domain:31390:IP" https://spark-history.dsodis.domain:31390/gateway/default/sparkhistory  -k

My question is, how can I tell Istio to route traffic to the backend service using https?

Thanks in advance.

Best regards, rforberger

Solution

  • As RonnyForberger mentioned in his comment this can be achieved by creating DestinationRule that tells the traffic to the destination service to be TLS connection.

    So in this scenario:

    1. HTTPS request gets TLS terminated at GateWay to HTTP.
    2. Then the HTTP request is translated to TLS with DestinationRule to HTTPS.
    3. HTTPS request reaches HTTPS backend.