Bookinfo inbound requests are unexpectedly encrypted

Hi gang,

First time n00b user here… I’ve been working my way through the bookinfo sample, and found a curious problem…

When I access “productpage:9080” via the ratings pod… no problem:

root@cn1:/tmp/istio-1.3.1/samples/bookinfo# kubectl exec -it $(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}') -c ratings -- curl productpage:9080/productpage | grep -o "<title>.*</title>"
<title>Simple Bookstore App</title>
                                   root@cn1:/tmp/istio-1.3.1/samples/bookinfo#

However, when I try to access productpage via the virtualservice, I get a 503 error:

root@cn1:/tmp/istio-1.3.1/samples/bookinfo#  curl -s http://${GATEWAY_URL}/productpage -v
*   Trying 192.168.34.3...
* TCP_NODELAY set
* Connected to 192.168.34.3 (192.168.34.3) port 80 (#0)
> GET /productpage HTTP/1.1
> Host: 192.168.34.3
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 503 Service Unavailable
< content-length: 91
< content-type: text/plain
< date: Thu, 03 Oct 2019 01:56:01 GMT
< server: istio-envoy
<
* Connection #0 to host 192.168.34.3 left intact
upstream connect error or disconnect/reset before headers. reset reason: connection failureroot@cn1:/tmp/istio-1.3.1/samples/bookinfo#

Furthermore, when I examine the logs of the productpage pod, I see the following, which seems to suggest to me that the request is arriving at the productpage pod encrypted:

ERROR:werkzeug:10.114.157.51 - - [03/Oct/2019 01:56:01] code 400, message Bad request version ('À\x13\x00\x9c\x00/À,À0À')
INFO:werkzeug:10.114.157.51 - - [03/Oct/2019 01:56:01] "ÊƎVfÁjô"ôÅø]»Â·×M­„pü+ºÒ¤ÔÀ+Ì©À/̨À	Àœ/À,À0À" HTTPStatus.BAD_REQUEST -
ERROR:werkzeug:10.114.157.51 - - [03/Oct/2019 01:56:01] code 400, message Bad request syntax ('\x16\x03\x01\x00Ê\x01\x00\x00Æ\x03\x03§´\x10é\x1a\x8fLÇÖ\x81l=¡aÒ²Ü\x03;\x95\x87\x1bö\x1d±QCö%Ù\x93ú\x00\x00\x1cÀ+Ì©À/̨À\tÀ\x13\x00\x9c\x00/À,À0À')
INFO:werkzeug:10.114.157.51 - - [03/Oct/2019 01:56:01] "ÊƧ´éLÇցl=¡aÒ²Ü;•‡�±QCö%ٓúÀ+Ì©À/̨À	Àœ/À,À0À" HTTPStatus.BAD_REQUEST -
ERROR:werkzeug:10.114.157.51 - - [03/Oct/2019 01:56:01] code 400, message Bad request version ('À\x13\x00\x9c\x00/À,À0À')
INFO:werkzeug:10.114.157.51 - - [03/Oct/2019 01:56:01] "ÊÆ£Y”(ÂDérÙ5¯KãfYȌøʈӑ¨ÙJˆÈ=ãþgÀ+Ì©À/̨À	Àœ/À,À0À" HTTPStatus.BAD_REQUEST -

I’m concerned that I may have turned on a feature unintentionally. I’d originally deployed with CNI plugin support, but I disabled this as part of testing (no difference).

Any suggestions on where to start debugging?

Thanks!
David

So I fixed this by disabling mTls, but I don’t understand why:

My helm chart had this:

  mtls:
    # Default setting for service-to-service mtls. Can be set explicitly using
    # destination rules or service annotations.
    enabled: true
    auto: false 

I changed it to:

  mtls:
    # Default setting for service-to-service mtls. Can be set explicitly using
    # destination rules or service annotations.
    enabled: false
    auto: false 

And the example now works as expected. No more encrypted requests. I’d assumed that auto: false would have prevented mtls from being turned on if I wasn’t ready?