'What's the retry configuration for a ServiceEntry using https?
I'm trying to setup a Service Entry to add an external API to our mesh and take advantage of some network resilience features. First, I'd like to add retries to these API calls. I've got an example setup and working using http, but I can't figure out the configuration for https.
For example, I got this working...
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: httpbin-srv-entry
spec:
hosts:
- httpbin.org
ports:
- number: 80
name: http
protocol: HTTP
location: MESH_EXTERNAL
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin-vrt-srv
spec:
hosts:
- httpbin.org
http:
- route:
- destination:
host: httpbin.org
retries:
attempts: 10
retryOn: "5xx"
After making a call inside the mesh to curl -v http://httpbin.org/status/503, I see all of the attempts in the istio-proxy log:
tools istio-proxy 2022-05-06T20:52:39.327431Z debug envoy router [C940][S13424897362262611751] performing retry
tools istio-proxy 2022-05-06T20:52:39.381075Z debug envoy router [C940][S13424897362262611751] performing retry
tools istio-proxy 2022-05-06T20:52:39.467414Z debug envoy router [C940][S13424897362262611751] performing retry
tools istio-proxy 2022-05-06T20:52:39.647938Z debug envoy router [C940][S13424897362262611751] performing retry
tools istio-proxy 2022-05-06T20:52:39.681137Z debug envoy router [C940][S13424897362262611751] performing retry
tools istio-proxy 2022-05-06T20:52:39.713335Z debug envoy router [C940][S13424897362262611751] performing retry
tools istio-proxy 2022-05-06T20:52:39.831212Z debug envoy router [C940][S13424897362262611751] performing retry
tools istio-proxy 2022-05-06T20:52:40.006095Z debug envoy router [C940][S13424897362262611751] performing retry
tools istio-proxy 2022-05-06T20:52:40.189391Z debug envoy router [C940][S13424897362262611751] performing retry
tools istio-proxy 2022-05-06T20:52:40.287682Z debug envoy router [C940][S13424897362262611751] performing retry
The problem I'm having is setting up this example with https...
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: httpbin-srv-entry
spec:
hosts:
- httpbin.org
ports:
- number: 443
name: https
protocol: HTTPS
location: MESH_EXTERNAL
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin-vrt-srv
spec:
hosts:
- httpbin.org
http:
- route:
- destination:
host: httpbin.org
retries:
attempts: 10
retryOn: "5xx"
The API calls are working, but the retires aren't happening. I can tell by how quick the curl command ends and there's nothing in the istio-proxy log indicating any retries happened. I also tested by spinning up kennethreitz/httpbin on a different cluster and watching the access log, just thought this example was easier to demo.
Solution 1:[1]
Figured this out from here: https://stackoverflow.com/a/51740657/510218
Full example:
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: httpbin-srv-entry
spec:
hosts:
- httpbin.org
ports:
- number: 80
name: http
protocol: HTTP
- number: 443
name: https
protocol: HTTPS
location: MESH_EXTERNAL
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin-vrt-srv
spec:
hosts:
- httpbin.org
http:
- match:
- port: 80
route:
- destination:
host: httpbin.org
port:
number: 443
timeout: 300s
retries:
attempts: 10
retryOn: 5xx
perTryTimeout: 3s
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: originate-tls-for-httpbin
spec:
host: httpbin.org
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 443
tls:
mode: SIMPLE # initiates HTTPS when accessing httpbin.org
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Tom Adamo |