Access a HTTPS service through istio ingress gateway

1

I have installed istio in EKS, I was able to setup HTTPS ingress gateway and able to access HTTP application, but I have an application which will accept only https traffic, I am not able to set that up, I saw the below link, but it recommends to update the secrets and config details in the container yaml file but my application is a helm chart provided by vendor and they dont recommend to add the details like below inside the container. Is there any way, I can setup https ingress gateway to access https service

2

Yes of course you can set it up. You need to have certificates and install them at specific place in file system. The secret must be named a certain way too.

3

Thanks Steve, I have a self signed certificate, created a kubernetes secret for the certificate, I have enabled SDS true option and hence I am using the configuration file like below.

gateway:
kind: Gateway
metadata:
name: tls-gateway
spec:
selector:
istio: admin-ingressgateway # use istio default controller
servers:

  • port:
    number: 443
    name: https
    protocol: HTTPS
    tls:
    mode: SIMPLE
    credentialName: ingressgateway-certs
    minProtocolVersion: TLSV1_2
    maxProtocolVersion: TLSV1_2
    hosts:
    • “*”

Virtual Service:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: otp-service
spec:
hosts:

  • “*”
    gateways:

  • tls-gateway
    http:

  • match:

    • uri:
      prefix: /
      route:
    • destination:
      host: myservice-config
      port:
      number: 9443
      When creating my admin-ingress gateway, I have mentioned the below secret volumes.

    secretVolumes:

    • name: ingressgateway-certs
      secretName: istio-ingressgateway-certs
      mountPath: /etc/istio/ingressgateway-certs
    • name: ingressgateway-ca-certs
      secretName: istio-ingressgateway-ca-certs
      mountPath: /etc/istio/ingressgateway-ca-certs.

The above are the steps i have followed. I was able to hit the sidecar for the application and then got this error.

upstream connect error or disconnect/reset before headers. reset reason: connection failure.

But if I disable mTLS, its working fine.

Could you please confirm if I missed any step.

4

Further Findings:
For an https application, even if I didn’t enable mutual TLS, I was able to hit the application through ingress only if I add destination rule like below

Destination Rule:

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: test-http-dr
spec:
host: myservice-config
trafficPolicy:
tls:
mode: simple

With the above destination rule, I was able to access the service through istio ingress gateway, but as soon as I enable mutual tls it starts failing.

5

Hi Dinesh, did you ever get a positive resolution to the issue?
MTIA.

1 Like