istio.yaml

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: external-https-route
  namespace: default
spec:
  # in here you specify how the traffic arrives to your ingress,   
  # i.e. the gateway and the hostname
  parentRefs:
    - name: helloworld
      namespace: istio-ingress
  hostnames: ["test.example.com"]
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
      # you forward the traffic to a magic networking.istio.io/Hostname  
      # that only exists in code.
      backendRefs:
        - kind: Hostname
          group: networking.istio.io
          # make sure the hostname and port match the ServiceEntry!
          name: farcaller.net
          port: 443
      filters:
        # you might also want to rewrite the host header to match
        - type: RequestHeaderModifier
          requestHeaderModifier:
            set:
              - name: host
                value: farcaller.net
---
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: external-service
  namespace: default
spec:
  # define an outgoing cluster (where envoy sends traffic)
  hosts:
    - farcaller.net
  ports:
    - number: 443
      name: https
      protocol: HTTPS
  resolution: DNS
  location: MESH_EXTERNAL
---
apiVersion: networking.istio.io/v1
kind: DestinationRule
metadata:
  name: external-service
spec:
  host: farcaller.net
  # in case of TLS, you need to set the policy to SIMPLE and, most
  # probably, add the SNI.
  trafficPolicy:
    tls:
      mode: SIMPLE
      sni: farcaller.net