Access a HTTPS service through istio ingress gateway

I have installed istio in EKS, I was able to setup HTTPS ingress gateway and able to access HTTP application, but I have an application which will accept only https traffic, I am not able to set that up, I saw the below link, but it recommends to update the secrets and config details in the container yaml file but my application is a helm chart provided by vendor and they dont recommend to add the details like below inside the container. Is there any way, I can setup https ingress gateway to access https service

Yes of course you can set it up. You need to have certificates and install them at specific place in file system. The secret must be named a certain way too.

Thanks Steve, I have a self signed certificate, created a kubernetes secret for the certificate, I have enabled SDS true option and hence I am using the configuration file like below.

gateway:
kind: Gateway
metadata:
name: tls-gateway
spec:
selector:
istio: admin-ingressgateway # use istio default controller
servers:

  • port:
    number: 443
    name: https
    protocol: HTTPS
    tls:
    mode: SIMPLE
    credentialName: ingressgateway-certs
    minProtocolVersion: TLSV1_2
    maxProtocolVersion: TLSV1_2
    hosts:
    • “*”

Virtual Service:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: otp-service
spec:
hosts:

  • “*”
    gateways:

  • tls-gateway
    http:

  • match:

    • uri:
      prefix: /
      route:
    • destination:
      host: myservice-config
      port:
      number: 9443
      When creating my admin-ingress gateway, I have mentioned the below secret volumes.

    secretVolumes:

    • name: ingressgateway-certs
      secretName: istio-ingressgateway-certs
      mountPath: /etc/istio/ingressgateway-certs
    • name: ingressgateway-ca-certs
      secretName: istio-ingressgateway-ca-certs
      mountPath: /etc/istio/ingressgateway-ca-certs.

The above are the steps i have followed. I was able to hit the sidecar for the application and then got this error.

upstream connect error or disconnect/reset before headers. reset reason: connection failure.

But if I disable mTLS, its working fine.

Could you please confirm if I missed any step.

Further Findings:
For an https application, even if I didn’t enable mutual TLS, I was able to hit the application through ingress only if I add destination rule like below

Destination Rule:

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: test-http-dr
spec:
host: myservice-config
trafficPolicy:
tls:
mode: simple

With the above destination rule, I was able to access the service through istio ingress gateway, but as soon as I enable mutual tls it starts failing.