Istio Virtual Service - Proxy to external HTTPS service

Question

I'm trying to proxy HTTP requests with specified URI prefix to an external HTTPS server. The idea is to use ower internal Nexus Repository manager for NPM, but don't loosethe ability for 'npm audit' like this project does GitHub Project. It should be done with Istio instead of deploying an extra app.

I configured a virtual service and a service entry to route the traffic to the external service. So far it was not possible to convert an HTTP request to an HTTPS request. Is there any chance to do this?

Configuration:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: vs-nexus
spec:
  hosts:
  - "test.com"
  gateways:
  - gateway-xy
  http:
  - match:
    - uri:
        prefix: /-/npm/v1/security/audits/
    route:
      - destination:
          port:
            number: 443
          host: registry.npmjs.org
  - route:
    - destination:
        port:
          number: 80
        host: nexus


---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: npmjs-ext
spec:
  hosts:
    - registry.npmjs.org
  ports:
    - number: 443
      name: tls
      protocol: tls
  resolution: DNS
  location: MESH_EXTERNAL

score 5 · Accepted Answer · answered Mar 10 '22 at 10:06

Found a solution: You need to add an DestinationRule with TLS mode 'SIMPLE' to connect to an external HTTPS service.

The whole configuration for my issue with forwarding 'npm audit' requests to public 'registry.npmjs.org', if you are using a private Nexus Repository is:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: vs
spec:
  hosts:
  - "test.com"
  gateways:
  - gateway
  http:
  # Route to npm registry for audit
  # Like this: https://github.com/chovyy/npm-audit-proxy
  # See: https://istio.io/latest/blog/2019/proxy/
  - match:
    - uri:
        prefix: /-/npm/v1/security
    headers:
      request:
        set:
          host: "registry.npmjs.org"
    route:
      - destination:
          port:
            number: 443
          host: registry.npmjs.org

    # This is for custom Nexus repositories: You need to rewrite the route, that the prefix of the repository URL is not forwarded to registry.npmjs.org
  - match:
    - uri:
        prefix: /repository/npm-test-repo/-/npm/v1/security
    rewrite:
      uri: /-/npm/v1/security
    headers:
      request:
        set:
          host: "registry.npmjs.org"
    route:
      - destination:
          port:
            number: 443
          host: registry.npmjs.org

  - route:
    - destination:
        port:
          number: 80
        host: nexus

---

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: npmjs-ext
spec:
  hosts:
    - registry.npmjs.org
  ports:
    - number: 443
      name: tls
      protocol: TLS
  resolution: DNS
  location: MESH_EXTERNAL

---

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: npmjs-ext
spec:
  host: registry.npmjs.org
  trafficPolicy:
    tls:
      mode: SIMPLE

Hi @sebastian-a, have you encountered some situations that you got *connection reset* error from the ingress gateway pod? — David S., May 24 '22 at 05:41
Hi, so far I did not get any errors. Does the error show up, if you run ‚mom audit‘ in CLI? — Sebastian A., May 26 '22 at 15:11
I don't have the exact setup, so I cannot test. I am asking because, in one of my clusters, the setup works, but it doesn't work in another cluster. — David S., May 27 '22 at 11:03

Istio Virtual Service - Proxy to external HTTPS service

1 Answers1

Linked