nginx - Access both https & http backend service from istio gw without sidecar

Question

I have some onprem cluster , some backend service are running in http , some are running in https. as of now Do not have istio side car configured.

call with http backend traffic is working.. but with https backend it is giving 503 error. gateway:

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: istio-gateway
  namespace: istio-system

spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - '*'
    port:
      name: https
      number: 8443
      protocol: HTTPS
    tls:
      mode: SIMPLE
      privateKey: /etc/istio/ingressgateway-certs/tls.key
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
  - hosts:
    - '*'
    port:
      name: http
      number: 80
      protocol: HTTP

virtual service:

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: metalk8s-ui-proxies-https
  namespace: metalk8s-ui
spec:
  gateways:
  - istio-system/istio-gateway
  hosts:
  - '*'
  http:
  - match:
    - uri:
        prefix: /api/kubernetes/
    route:
    - destination:
        host: kubernetes-api-ds
        port:
          number: 443
      weight: 100
  - match:
    - uri:
        prefix: /api/salt/
    route:
    - destination:
        host: salt-api
        port:
          number: 4507
      weight: 100

destination rule :

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: kubernetes-api-ds
  namespace: metalk8s-ui
spec:
  host: kubernetes-api
  trafficPolicy:
    portLevelSettings:
    - loadBalancer:
        simple: ROUND_ROBIN
      port:
        number: 443
    tls:
      caCertificates: /etc/istio/ingressgateway-certs/tls.crt
      mode: SIMPLE
      privateKey: /etc/istio/ingressgateway-certs/tls.key

Without destination rule configured it was giving 400 error ( client sent http request to https server) .

basically the backend service works with nginx ingress .. we are trying to replace the nginx with istio.. For this particular uri path nginx ingress was :

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx-control-plane
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/rewrite-target: /$2
    nginx.ingress.kubernetes.io/use-regex: "true"
  labels:
    app: metalk8s-ui
    app.kubernetes.io/managed-by: salt
    app.kubernetes.io/name: metalk8s-ui
    app.kubernetes.io/part-of: metalk8s
    heritage: salt
    metalk8s.scality.com/version: 2.6.0-dev
  name: metalk8s-ui-proxies-https
  namespace: metalk8s-ui
spec:
  rules:
  - http:
      paths:
      - backend:
          serviceName: kubernetes-api
          servicePort: 443
        path: /api/kubernetes(/|$)(.*)
      - backend:
          serviceName: salt-api
          servicePort: 4507
        path: /api/salt(/|$)(.*)
status:
  loadBalancer:
    ingress:
    - ip: 10.105.58.133

nginx.ingress.kubernetes.io/backend-protocol: HTTPS --> this was the annotation to define the backend protocol..

could someone please help , how to achieve the same in istio ..

question from:https://stackoverflow.com/questions/65940324/access-both-https-http-backend-service-from-istio-gw-without-sidecar

Answer 1

Waitting for answers