Does Istio’s VirtualService routing and header manipulation apply to tracing traffic generated by istio-proxy itself?
Here’s the situation: I have Istio configured to send spans to an external tracing backend (Grafana Tempo) using the Zipkin extension provider. The spans sent by the sidecar do not include a User-Agent header. Because of that, AWS WAF on my ALB blocks the requests with a NoUserAgentHeader error.
I tried to use an Istio VirtualService to route the tracing traffic to Tempo and add a User-Agent header, but it looks like those policies don’t apply to tracing requests. Is this the expected behavior in Istio?
Istio mesh config:
extensionProviders = [
{
name = "zipkin"
zipkin = {
port = 80
service = "tempo.my-domain"
}
}
]
Service Entry:
apiVersion: networking.istio.io/v1
kind: ServiceEntry
metadata:
name: tempo-tracing-backend
namespace: istio-system
spec:
hosts:
- tempo.my-domain
location: MESH_EXTERNAL
ports:
- number: 80
name: http
protocol: HTTP
targetPort: 443
resolution: DNS
VS:
apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
name: tempo-vs
namespace: istio-system
spec:
hosts:
- tempo.my-domain
http:
- headers:
request:
add:
user-agent: "istio-envoy"
route:
- destination:
host: tempo.my-domain
port:
number: 443
DestinationRule to enable TLS:
apiVersion: networking.istio.io/v1
kind: DestinationRule
metadata:
name: originate-tls
namespace: istio-system
spec:
host: tempo.my-domain
trafficPolicy:
tls:
mode: SIMPLE
