Istio - redirect to https external url

Question

I'm trying to setup a simple redirect (not a proxy pass) in istio:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: test
spec:
  gateways:
  - test
  hosts:
  - test.com
  http:
  - redirect:
      authority: testredirect.com
      redirectCode: 302
---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: test
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - test.com
    port:
      name: http
      number: 80
      protocol: HTTP2

This creates a redirect to http://testredirect.com

How do I get this to redirect to http**s**://?

Notes:

1. I tried adding a DestinationRule and ServiceEntry, but that did not help
2. we terminate SSL at the load balancer, so our requests come on port 80 non-encrypted

Answer 1

Below is what worked for me.

- match:
  - authority:
      exact: test.com
  redirect:
    authority: testredirect.com

Answer 2

It looks like you need to use istio gateway.

Gateway describes a load balancer operating at the edge of the mesh receiving incoming or outgoing HTTP/TCP connections. The specification describes a set of ports that should be exposed, the type of protocol to use, SNI configuration for the load balancer, etc.

For example, the following Gateway configuration sets up a proxy to act as a load balancer exposing port 80 and 9080 (http), 443 (https), 9443(https) and port 2379 (TCP) for ingress. The gateway will be applied to the proxy running on a pod with labels app: my-gateway-controller. While Istio will configure the proxy to listen on these ports, it is the responsibility of the user to ensure that external traffic to these ports are allowed into the mesh.

You can find it an example with redirection to https. http://uk.bookinfo.com will be redirected to https://uk.bookinfo.com (i.e. 80 redirects to 443).

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: my-gateway
  namespace: some-config-namespace
spec:
  selector:
    app: my-gateway-controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - uk.bookinfo.com
    - eu.bookinfo.com
    tls:
      httpsRedirect: true # sends 301 redirect for http requests
  - port:
      number: 443
      name: https-443
      protocol: HTTPS
    hosts:
    - uk.bookinfo.com
    - eu.bookinfo.com
    tls:
      mode: SIMPLE # enables HTTPS on this port
      serverCertificate: /etc/certs/servercert.pem
      privateKey: /etc/certs/privatekey.pem
  - port:
      number: 9443
      name: https-9443
      protocol: HTTPS
    hosts:
    - "bookinfo-namespace/*.bookinfo.com"
    tls:
      mode: SIMPLE # enables HTTPS on this port
      credentialName: bookinfo-secret # fetches certs from Kubernetes secret
  - port:
      number: 9080
      name: http-wildcard
      protocol: HTTP
    hosts:
    - "*"
  - port:
      number: 2379 # to expose internal service via external port 2379
      name: mongo
      protocol: MONGO
    hosts:
    - "*"

And this is Server configuration:

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: my-ingress
spec:
  selector:
    app: my-ingressgateway
  servers:
  - port:
      number: 80
      name: http2
      protocol: HTTP2
    hosts:
    - "*"

---

You can find there also an example of TLS configuration for port 443:

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: my-tls-ingress
spec:
  selector:
    app: my-tls-ingressgateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    hosts:
    - "*"
    tls:
      mode: SIMPLE
      serverCertificate: /etc/certs/server.pem
      privateKey: /etc/certs/privatekey.pem