Istio Egress gateway wild card hosts

[bhat39a]

Is this the right place to submit this?

• This is not a security vulnerability or a crashing bug
• This is not a question about how to use Istio

Bug Description

Hello Team,

We are configuring wildcard hosts entires in our service entry, virtual service, destination rule and Gateway but the connection is not going through. Connection from istio-proxy sidecar container is being routed to istio egress gateway but from istio egress gateway can't see any connection to the internet (actual host).

Config File :

---

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: wildcard-service-entry
spec:
  hosts:
  - "*.com"
  ports:
  - number: 443
    name: https
    protocol: HTTPS
  resolution: NONE

---

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: istio-egressgateway
  namespace: istio-system
spec:
  selector:
    istio: egressgateway
  servers:
  - port:
      number: 443
      name: tls
      protocol: TLS
    hosts:
    - "*"
    tls:
      mode: PASSTHROUGH

---

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: egressgateway-for-gha-runner
  namespace: istio-system
spec:
  host: istio-egressgateway.istio-system.svc.cluster.local
  subsets:
  - name: gha-runner 

---

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: wildcard-through-egress-gateway
  namespace: istio-system
spec:
  hosts:
  - "*.com"
  gateways:
  - mesh
  - istio-egressgateway
  tls:
  - match:
    - gateways:
      - mesh
      port: 443
      sniHosts:
      - "*.com"
    route:
    - destination:
        host: istio-egressgateway.istio-system.svc.cluster.local
        subset: gha-runner
        port:
          number: 443
  - match:
    - gateways:
      - istio-egressgateway
      port: 443
      sniHosts:
      - "*.com"
    route:
    - destination:
        host: "*.com"
        port:
          number: 443
      weight: 100

---

Error Message :

Connection is forwarded from istio-proxy sidecar to egressgateway

[2024-06-11T12:58:35.518Z] "- - -" 0 - - - "-" 350 0 2 - "-" "-" "-" "-" "xx.xx.xx.xx:443" outbound|443|gha-runner|istio-egressgateway.istio-system.svc.cluster.local xx.xx.xx.xx:45434 xx.xx.xx.xx:443 xx.xx.xx.xx:53104 *.*com -
[2024-06-11T12:58:35.522Z] "- - -" 0 - - - "-" 350 0 2 - "-" "-" "-" "-" "xx.xx.xx.xx:443" outbound|443|gha-runner|istio-egressgateway.istio-system.svc.cluster.local xx.xx.xx.xx:45444 xx.xx.xx.xx:443 xx.xx.xx.xx:53108 *.*com -

But traffic from egressgateway to internet is showing the below message

[2024-06-11T12:58:35.633Z] "- - -" 0 UH - - "-" 0 0 0 - "-" "-" "-" "-" "-" outbound|443||*.com - xx.xx.xx.xx:443 xx.xx.xx.xx:45476 ..com -

Version

kubectl version
Client Version: v1.29.1
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.28.9-eks-036c24b

Additional Information

No response

[zirain]

related to https://istio.io/latest/blog/2023/egress-sni/?

[bhat39a]

related to https://istio.io/latest/blog/2023/egress-sni/?

Any specific area can you point in our config that needs to be changed.

[howardjohn]

NONE mode cannot work on gateways. This means "use the original destination IP". However, the destination IP is the egress gw itself!

[bhat39a]

NONE mode cannot work on gateways. This means "use the original destination IP". However, the destination IP is the egress gw itself!

removed the NONE, but still issue remains the same.

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: wildcard-service-entry
  namespace: istio-system
spec:
  hosts:
  - "*.com"
  ports:
  - number: 443
    name: https
    protocol: HTTPS

[howardjohn]

The default is NONE so you did not really remove it 🙂 .

There is no current built in way to achieve this. You will need to do something like https://istio.io/latest/blog/2023/egress-sni/

[bhat39a]

https://istio.io/latest/blog/2023/egress-sni/

:) thanks its working now. The blog apparently looks pretty complex but while implementing it is easy.