I am new to istio, and am having some trouble with TLS on an istio gateway resource. Any and all help greatly appreciated!
The following setup works as expected:
I am using AWS, and have an ELB (classic) load balancer which was created with defaults by
istio/istio-ingressgateway service has annotations which terminate TLS at the load balancer, and send the plaintext request to the gateway. The annotations are:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:<redacted>" service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http" service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
My gateway and virtual service are configured with just port 80, and all is working correctly. However, I want communication between the load balancer and the gateway to also be encrypted.
This is where things stop working…
I change the
service.beta.kubernetes.io/aws-load-balancer-backend-protocol annotation above from
https. I then follow the instructions with the documentation (for istio 1.5) but now persistently receive HTTP 503’s from my service.
The changes I made were to add an HTTPS/443 section to my gateway definition and create a self signed certificate (using cert-manager). These are detailed below:
apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: default-gateway namespace: default spec: selector: istio: ingressgateway servers: - port: number: 443 name: https protocol: HTTPS tls: mode: SIMPLE credentialName: default-gateway-self-signed-cert hosts: - '*.<redacted>.net' - port: number: 80 name: http protocol: HTTP tls: httpsRedirect: true hosts: '- '*.<redacted>.net'
The secret (
default-gateway-self-signed-cert) was created using the command:
kubectl -n istio-system \ create secret generic default-gateway-self-signed-cert \ --from-file=key=tls.key \ --from-file=cert=tls.cert
tls.crt is a self signed certificates from cert-manager.)
apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: my-service spec: hosts: - <redacted>.net gateways: - default-gateway http: - route: - destination: port: number: 80 host: my-service.default.svc.cluster.local
I have tried to look at logs for the istio ingress service pod and my service pod, but I cannot see any activity when I make my request on port 443. I simply receive an HTTP 503.
Thanks so much in advance for any pointers in the right direction!