istio: Unable to route IP with TLS traffic through egress gateway

(NOTE: This is used to report product bugs: To report a security vulnerability, please visit https://istio.io/about/security-vulnerabilities To ask questions about how to use Istio, please visit https://discuss.istio.io)

Bug description Trying to route traffic to an ELK instance in Softlayer using the provided IP over TLS and am unable to route the traffic through the Istio egress gateway. Request goes directly to the IP/cluster defined by the ServiceEntry. Was able to reproduce using another well-known IP, steps below

[ ] Docs [ ] Installation [x] Networking [ ] Performance and Scalability [ ] Extensions and Telemetry [ ] Security [ ] Test and Release [ ] User Experience [ ] Developer Infrastructure [ ] Upgrade

Expected behavior Should be able to direct IP based traffic through egress gateway. Expected cluster to be “outbound|443||istio-egressgateway.istio-system.svc.cluster.local”, instead got “outbound|443||disney-placeholder.com”, nothing in egress gateway log.

Steps to reproduce the bug See attached egress-with-ip.yaml containing GW+SE+VS egress-with-ip.yaml.txt

Setup

  1. Install the Sleep sample to your k8s cluster.
  2. Open 3 terminal windows.
  3. In all 3 terminals, execute: $ export SOURCE_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})

In terminal 1, watch the egress log.  Execute:  $ kubectl logs -l istio=egressgateway -c istio-proxy -n istio-system -f

In terminal 2, watch the Sleep app sidecar log.  Execute: $ kubectl logs ${SOURCE_POD} -c istio-proxy -f

Test with IP (130.211.198.204) In terminal 3, connect to the IP.  Execute:

$ kubectl create -f egress-with-ip.yaml
$ kubectl exec ${SOURCE_POD} -- curl -kLSs https://130.211.198.204

In the sidecar log, you will see: “- - -” 0 - - - “-” 726 65086 111 - “-” “-” “-” “-” “130.211.198.204:443” outbound|443||disney-placeholder.com 172.30.33.92:38236 130.211.198.204:443 172.30.33.92:38234 - -

In the egress log, you will see: No processing.

Version (include the output of istioctl version --remote and kubectl version --short and helm version --short if you used Helm) 1.9.5

How was Istio installed? IKS managed istio operator

Environment where the bug was observed (cloud vendor, OS, etc) IKS

Additionally, please consider running istioctl bug-report and attach the generated cluster-state tarball to this issue. Refer cluster state archive for more details.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 16 (5 by maintainers)

Most upvoted comments

A better idea is to propose an solution and an example of how to route a static IP address through the Istio egress gateway.

+1
wjwilson-ibm on Nov 17, 2021

@howardjohn @incfly Any idea about this issue ? Objective is we just use domain and http in application. but we use static IP for that domain using serviceEntry. so if we send out the request egress should be able to route the traffic with TLS. here we are not able to got outbound as egress!!!

+1
ramswish on Aug 27, 2021
Read more comments on GitHub
← istio: Unable to remove server header
istio: Unexplained telemetry involving passthrough and unknown →