We want to to route https traffic to an https endpoint using Istio Ingress Gateway.
We terminate the TLS traffic at the Ingress Gateway, but our backend service uses https as well.
I have the following manifests:
apiVersion: networking.istio.io/v1alpha3kind: Gatewaymetadata: name: datalake-dsodis-istio-gatewayspec: selector: istio: ingressgateway servers: - hosts: - "gw-hdfs-spark.dsodis.domain" - "spark-history.dsodis.domain" port: name: https-wildcard number: 443 protocol: HTTPS tls: mode: SIMPLE serverCertificate: /etc/istio/ingressgateway-certs/tls.crt privateKey: /etc/istio/ingressgateway-certs/tls.keyapiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata: name: gw-spark-history-istio-vsspec: gateways: - default/datalake-dsodis-istio-gateway hosts: - "spark-history.dsodis.domain" http: - match: - uri: prefix: / route: - destination: host: gateway-svc-clusterip.our_application_namespace.svc.cluster.local port: number: 8443apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata: name: originate-tls-for-spark-historyspec: host: gateway-svc-clusterip.our_application_namespace.svc.cluster.local trafficPolicy: loadBalancer: simple: ROUND_ROBIN portLevelSettings: - port: number: 8443 tls: mode: SIMPLEThe problem is most likely, that we are sending TLS terminated traffic, (so to say) HTTP traffic, to the HTTPS backend. Therefore we might get 503 Service Unavailable when accessing the service through Istio.
The command accessing it is:
curl -vvvv -H"Host: spark-history.dsodis.domain" --resolve "spark-history.dsodis.domain:31390:IP" https://spark-history.dsodis.domain:31390/gateway/default/sparkhistory -kMy question is, how can I tell Istio to route traffic to the backend service using https?
Thanks in advance.
Best regards,rforberger