I have installed istio in EKS, I was able to setup HTTPS ingress gateway and able to access HTTP application, but I have an application which will accept only https traffic, I am not able to set that up, I saw the below link, but it recommends to update the secrets and config details in the container yaml file but my application is a helm chart provided by vendor and they dont recommend to add the details like below inside the container. Is there any way, I can setup https ingress gateway to access https service
Yes of course you can set it up. You need to have certificates and install them at specific place in file system. The secret must be named a certain way too.
Thanks Steve, I have a self signed certificate, created a kubernetes secret for the certificate, I have enabled SDS true option and hence I am using the configuration file like below.
gateway:
kind: Gateway
metadata:
name: tls-gateway
spec:
selector:
istio: admin-ingressgateway # use istio default controller
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: ingressgateway-certs
minProtocolVersion: TLSV1_2
maxProtocolVersion: TLSV1_2
hosts:- “*”
Virtual Service:
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: otp-service
spec:
hosts:
-
“*”
gateways: -
tls-gateway
http: -
match:
- uri:
prefix: /
route: - destination:
host: myservice-config
port:
number: 9443
When creating my admin-ingress gateway, I have mentioned the below secret volumes.
secretVolumes:
- name: ingressgateway-certs
secretName: istio-ingressgateway-certs
mountPath: /etc/istio/ingressgateway-certs - name: ingressgateway-ca-certs
secretName: istio-ingressgateway-ca-certs
mountPath: /etc/istio/ingressgateway-ca-certs.
- uri:
The above are the steps i have followed. I was able to hit the sidecar for the application and then got this error.
upstream connect error or disconnect/reset before headers. reset reason: connection failure.
But if I disable mTLS, its working fine.
Could you please confirm if I missed any step.
Further Findings:
For an https application, even if I didn’t enable mutual TLS, I was able to hit the application through ingress only if I add destination rule like below
Destination Rule:
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: test-http-dr
spec:
host: myservice-config
trafficPolicy:
tls:
mode: simple
With the above destination rule, I was able to access the service through istio ingress gateway, but as soon as I enable mutual tls it starts failing.
Hi Dinesh, did you ever get a positive resolution to the issue?
MTIA.