VirtualService with a HTTPS backend

I have a service with a self signed SSL cert that I want to expose to the internet. I would like Istio Gateway to terminate the SSL connection (using a cert from cert-manager) and the istio sidecar to handle HTTPS traffic internally to the backend service.

However when I try this I get errors from Envoy:

TLS error: 268435648:SSL routines:OPENSSL_internal:PEER_DID_NOT_RETURN_A_CERTIFICATE

My backend service is exposed like so:

---
kind: VirtualService
apiVersion: networking.istio.io/v1alpha3
metadata:
  name: stratos
  namespace: stratos
spec:
  gateways:
    - cf-system/istio-ingressgateway
  hosts:
    - console.example.com
  http:
    - route:
        - destination:
            host: console-ui-ext
            
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: stratos
  namespace: stratos
spec:
  host: console-ui-ext
  trafficPolicy:
    tls:
      mode: SIMPLE

---
kind: Gateway
SNIP
  - hosts:
    - console.example.com
    port:
      name: https-workloads
      number: 443
      protocol: HTTPS
    tls:
      credentialName: my-cert
      mode: SIMPLE

In the istio-sidecar, I can curl -k https://localhost without issue. However I get an SSL error when I use curl -k https://console-ui-ext.stratos.svc.cluster.local

What am I missing? One thing I found weird was the routes added to Envoy are all outbound|443 I would have expected to see inbound routes there as well. I do not want TLS passthrough on the Gateway since the certificate of the backend service is not valid.

Is there a step I forgot when having a HTTPS backend?



Read more here: https://stackoverflow.com/questions/64939409/virtualservice-with-a-https-backend

Content Attribution

This content was originally published by chaos at Recent Questions - Stack Overflow, and is syndicated here via their RSS feed. You can read the original post over there.

%d bloggers like this: