Support for istio TLS origination?

[snuggie12]

Describe the feature or resource We recently installed istio on config connector and noticed an increase in our cloud NAT port usage. Typically this has been due to https connections unable to be inspected by istio. The solution has been to create a ServiceEntry and DestinationRule for the external URLs and change the client to use http. Then although the client talks http inside the Pod, the sidecar will talk https to the destination.

Would it be possible to implement a flag in config connector to use http instead of https? If workload identity is on is there any sensitive data being sent from config connector to google's APIs?

Importance It's def a nice to have; we can always turn off istio routing for external traffic leaving config connector to solve our port exhaustion.

More info: https://istio.io/latest/docs/tasks/traffic-management/egress/egress-tls-origination/

[maqiuyujoyce]

Hi @snuggie12 , thank you for your feedback! If I've understood your request correctly, you want Config Connector to be able to call the GCP APIs via HTTP instead of HTTPS, right? This seems to be slightly different from the common use cases KCC supports, and given our current priorities and capacity, we may not be able to look into it soon. I have created a tracking item in our backlog, and will post an update when we have more information.

[snuggie12]

That's correct. It will still be HTTPS, but will originate from the sidecar instead of the main container.

One other use case for being able to specify some sort of template for the GCP APIs is to use private service connect. This would also be an acceptable path forward.