Comments (6)
Can you share a config dump (istioctl pc all PODNAME
)? Istio knows when its HTTPS and does HTTP metrics, so this means either:
- Its not actually doing what you think (terminating HTTPS)
- Stats are not configured correctly
- A new bug
from istio.
The Egress Gateway is definitely terminating the TLS connection. I see the Common Name of the certificate (which we set to a distinct own name) when I do e.g. curl -v https://httpbin.org/status/200
in a source workload/pod, and also issue for httpbin.org (for testing):
* Server certificate:
* subject: CN=egress-server-cert
* start date: Apr 30 14:41:18 2024 GMT
* expire date: Apr 30 14:41:18 2025 GMT
* subjectAltName: host "httpbin.org" matched cert's "httpbin.org"
* issuer: CN=pki-ca
* SSL certificate verify ok.
And the certificate is only ever mounted to the Egress Gateway's Gateway
CRD, which looks like this:
spec:
selector:
app: istio-egressgateway
istio: egressgateway
servers:
- hosts:
- '*'
port:
name: https-port
number: 443
protocol: HTTPS
tls:
credentialName: egress-server-cert-secret
mode: SIMPLE
I think, it is much like with an Ingress Gateway which terminates HTTPS/TLS connections for our own server domain (with a public Let's Encrypt certificate). There, I also do not see (via Prometheus stats endpoint) the incoming/downstream requests from clients towards the Ingress Gateway. So, no istio_requests_total
metrics here when the reporter="destination"
on that Ingress Gateway pod. However, upstream requests are visible as Prometheus metrics when the HTTPS/TLS-terminated requests go upstream from the Ingress Gateway to the upstream services/backends. There, I do see the HTTP requests e.g. via istio_requests_total{reporter="source", source_app="istio-ingressgateway"}
.
But no downstream HTTP metrics with istio_requests_total{reporter="destination", destination_app="istio-ingressgateway"}
.
The exact same scenario is with the Egress Gateway: Terminating the downstream HTTPS/TLS connections, but no HTTP/L7 metrics over the Prometheus stats endpoint for incoming/downstream requests. Though, outgoing/upstream requests, the metrics are fine.
I am going to assemble a sensible istioctl pc all egress-gateway-...
output, because it contains many sensitive information at many places and is many tens of thousands of lines long.
By the way, we are using Istio 1.21.2.
from istio.
1 request to a gateway generates 1 single metric, not a distinct one for upstream and downstream.
Sidecars generate 2 because there are two distinct sidecars (each generates 1)
from istio.
1 request to a gateway generates 1 single metric, not a distinct one for upstream and downstream.
Oh, that makes total sense, since there is only one listener filter chain and single http connection manager processed.
So, is there no way to correlate requests through a gateway between the downstream and upstream?
What I really am after is to know in the metrics which downstream service was sending a request through a gateway, which ultimately sent this very request upstream to another service.
I cannot track the HTTPS request in the originating workload's outgoing sidecar, because it cannot inspect the HTTPS/TLS traffic on layer 7. Only the gateway could do that, but since, as you said, there is only a single metric generated, and that metrics seems to look like "outgoing/upstream" metrics (so the source_app is the gateway and the destination_app is the service this request is destined for).
What I would like to have is a single metric point with the originating service being the source_app and the eventual destination upstream being the destination_app.
from istio.
Basically no. You can use tracing to do this, but its of course not quite the same as metrics.
Interestingly, part of ambient mesh we decided to make the waypoint component work exactly how you want it to work: #42320 (comment). While we haven't talked about it much yet, there are plans to be able to use waypoints like egress gateways, which would ultimately fulfill that use case. Its a ways off to get the egress part though.
from istio.
Thank you for your answers and insights. Much appreciated!
Actually, the reason why we opted for an egress gateway was that there does not seem to be an easy way for the outbound listener of a workload's sidecar to do the TLS-termination, because whenever a ServiceEntry was configured with a HTTPS port, it would not configure a Http connection manager on it, but only make TLS metrics visible. Terminating the application-side HTTPS/TLS connection on the outbound listener would also suit us here.
Using the downstream tls config on a gateway was just the next best thing, since there currently is no such thing as a tls config on a sidecar's outbound/upstream listener (without restoring to EnvoyFilter magic, that is).
While researching this topic I came across at least these following Istio GitHub issues tackling the same problem, I think:
from istio.
Related Issues (20)
- [release-1.20] Update iptables image SHA HOT 1
- ExternalName service doesnot generate xds correctly HOT 6
- [release-1.21] Fix ambient cni on OpenShift
- istio side car proxy Version istio/proxyv2:1.15.3 is crashing HOT 10
- Envoy can't start the egress listener(configured by Sidecar) on VM workload HOT 2
- Report the use of components with vulnerabilities in istio HOT 1
- Consolidate logging in `istio-cni` HOT 3
- Document limitations with headless services and load balancing policies
- Sidecar CRD is ignored when pod rebalance from one Istiod to another and is endpoint in a ServiceEnrty HOT 11
- ISTIO_DELTA_XDS is not a pilot-discovery env var HOT 2
- Use Self Signed Certificate without domain name on Istio Ingress Gateway HOT 1
- envoy sidecar Sending local reply with details upgrade_failed HOT 5
- Ambient mesh: upstream connect error or disconnect/reset before headers when using Gateway API HOT 11
- VirtualService matcher WithoutHeaders not matching when header is missing HOT 2
- istioctl doesn't correctly patch CPU requests/limits HOT 2
- `istio-cni` code coverage CI gates HOT 3
- Kubectl apply a istio config cannot return warning HOT 1
- serviceentry / virtual service not work when target to outside server. HOT 13
- Delete HTTPRoute will trigger two push event loops, is this expected? HOT 5
- Istio Envoy Service time sometimes slow down HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from istio.