The problem is that the traffic from the pod does not go via configured proxy for specified sites.
There is a k8s app (node.js) that support HTTPS_PROXY environment variable, but does not support NO_PROXY. And there is a task to proxy traffic from the app to only specific sites.
I tried to deploy the Istio egres like this:
istioctl install --set profile=minimal \ --set values.pilot.env.PILOT_ENABLE_ALPHA_GATEWAY_API=true \ --set meshConfig.accessLogFile=/dev/stdout \ --set "components.egressGateways[0].name=istio-egressgateway" \ --set "components.egressGateways[0].enabled=true" \ --set meshConfig.outboundTrafficPolicy.mode=ALLOW_ANYAnd applied two manifests:
---## ServiceEntry that describes external proxy#apiVersion: networking.istio.io/v1beta1kind: ServiceEntrymetadata: name: external-proxyspec: hosts: - proxyext.external.site.local ports: - number: 3128 name: http protocol: HTTP location: MESH_EXTERNAL---apiVersion: networking.istio.io/v1beta1kind: VirtualServicemetadata: name: route-to-proxyspec: hosts: - api.google.com - api.usa.com - someother.site.com - en.wikipedia.org http: - match: - port: 443 route: - destination: host: proxyext.external.site.local port: number: 3128Then tried to send a request with curl to en.wikipedia.org from the container and it wasnt go via proxy, but go directly. The istio-proxy side container's log revealed this:
[2024-04-16T07:29:51.116Z] "- - -" 0 - - - "-" 813 110483 535 - "-" "-" "-" "-" "185.15.59.224:443" outbound|443||en.wikipedia.org 10.233.103.2:32854 185.15.59.224:443 10.233.103.2:32838 en.wikipedia.org -What am i doing wrong here?