How to configure TLS origination in ISTIO?
Got to the bottom of this. ISTIO documentation was correct - TLS origination and retries work as expected.
The issue was caused by the perTryTimeout value which was too low. Requests were not completing in allocated time, so the gateway was timing out. It caught us out because the external service's performance has degraded recently and we didn't think to check it.
I think it should work like so:
apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata: name: someservice-vsspec: hosts: - someurl.somedomain.com http: - match: - port: 80 route: - destination: host: someurl.somedomain.com timeout: 40s retries: attempts: 10 perTryTimeout: 4s retryOn: gateway-error,connect-failure,refused-stream,retriable-4xx,5xx---apiVersion: networking.istio.io/v1alpha3kind: ServiceEntrymetadata: name: someservice-sespec: hosts: - someurl.somedomain.com location: MESH_EXTERNAL ports: - number: 80 protocol: HTTP name: http endpoints: - address: someurl.somedomain.com ports: http: 443 resolution: DNS---apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata: name: someservice-destinationrulespec: host: someurl.somedomain.com trafficPolicy: loadBalancer: simple: ROUND_ROBIN tls: mode: SIMPLE # initiates HTTPS when accessing someurl.somedomain.com
Make the ServiceEntry listen on port 80 but with the endpoint address pointing to port 443.Then the DestinationRule applies TLS for everything targeting port 80, which is eventually forwarded via the endpoints of the cluster to port 443.
Configuring TLS origination is documented here.
The configuration shown above is correct. Turns out the actual problem was caused by an insufficient timeout in the virtual service, not the TLS origination.
https://discuss.istio.io/t/can-i-route-http-traffic-as-https-to-an-external-service/489/8