We want to achieve path-based routing for external domains not owned by our Kubernetes cluster. We managed to configure routing successfully, but now we encounter a side-effect: workloads inside the cluster communicate using plain HTTP on port 443 to the external domain, resulting in SSL errors.

Desired Behavior

• Requests to www.example/graphql are routed from the cluster ingress gateway to the external domain.
• Workloads within the service mesh can successfully query using HTTPS without SSL issues.

Current Approach

Our configuration uses Istio's ServiceEntry, DestinationRule, and the Gateway API's HTTPRoute:

apiVersion: networking.istio.io/v1
kind: ServiceEntry
metadata:
  name: www-example-com
spec:
  hosts:
  - graphql-api.mesh-external.example
  location: MESH_EXTERNAL
  ports:
  - name: https
    number: 443
    protocol: HTTPS
  resolution: DNS
---
apiVersion: networking.istio.io/v1
kind: DestinationRule
metadata:
  name: www-example-com
spec:
  host: graphql-api.mesh-external.example
  trafficPolicy:
    portLevelSettings:
    - port:
        number: 443
      tls:
        mode: SIMPLE
        sni: graphql-api.mesh-external.example
---
apiVersion: gatewayworking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: www-example-com
spec:
  hostnames:
  - www.example
  parentRefs:
  - group: gatewayworking.k8s.io
    kind: Gateway
    name: ingress
    namespace: gateway
  rules:
  - backendRefs:
    - group: networking.istio.io
      kind: Hostname
      name: graphql-api.mesh-external.example
      port: 443
      weight: 1
    matches:
    - path:
        type: PathPrefix
        value: /graphql

Problem

• External requests through ingress work correctly, but internal mesh communication defaults to plain HTTP on port 443, causing SSL/TLS errors.

Question

How can we configure Istio and Gateway API so that internal mesh workloads correctly perform HTTPS communication with the external domain while retaining proper path-based routing for ingress traffic?

We want to achieve path-based routing for external domains not owned by our Kubernetes cluster. We managed to configure routing successfully, but now we encounter a side-effect: workloads inside the cluster communicate using plain HTTP on port 443 to the external domain, resulting in SSL errors.

Desired Behavior

• Requests to www.example/graphql are routed from the cluster ingress gateway to the external domain.
• Workloads within the service mesh can successfully query https://graphql-api.mesh-external.example using HTTPS without SSL issues.

Current Approach

Our configuration uses Istio's ServiceEntry, DestinationRule, and the Gateway API's HTTPRoute:

apiVersion: networking.istio.io/v1
kind: ServiceEntry
metadata:
  name: www-example-com
spec:
  hosts:
  - graphql-api.mesh-external.example
  location: MESH_EXTERNAL
  ports:
  - name: https
    number: 443
    protocol: HTTPS
  resolution: DNS
---
apiVersion: networking.istio.io/v1
kind: DestinationRule
metadata:
  name: www-example-com
spec:
  host: graphql-api.mesh-external.example
  trafficPolicy:
    portLevelSettings:
    - port:
        number: 443
      tls:
        mode: SIMPLE
        sni: graphql-api.mesh-external.example
---
apiVersion: gatewayworking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: www-example-com
spec:
  hostnames:
  - www.example
  parentRefs:
  - group: gatewayworking.k8s.io
    kind: Gateway
    name: ingress
    namespace: gateway
  rules:
  - backendRefs:
    - group: networking.istio.io
      kind: Hostname
      name: graphql-api.mesh-external.example
      port: 443
      weight: 1
    matches:
    - path:
        type: PathPrefix
        value: /graphql

Problem

• External requests through ingress work correctly, but internal mesh communication defaults to plain HTTP on port 443, causing SSL/TLS errors.

Question

How can we configure Istio and Gateway API so that internal mesh workloads correctly perform HTTPS communication with the external domain while retaining proper path-based routing for ingress traffic?

• kubernetes
• istio

1 Answer 1

You need to modify the DestinationRule to enforce TLS settings to make internal mesh workloads correctly perform HTTPS communication with the external domain while retaining proper path-based routing for ingress traffic without causing any SSL/TLS errors.

So you may need to update the DestinationRule by removing portLevelSettings as follows :

apiVersion: networking.istio.io/v1
kind: DestinationRule
metadata:
  name: www-example-com
spec:
  host: graphql-api.mesh-external.example
  trafficPolicy:
    tls:
      mode: SIMPLE
      sni: graphql-api.mesh-external.example

For more information check this Isito document and also go through this Medium blog by Harsh, which might be helpful to resolve your issue.