It’s now days I’m trying to configure Istio 1.22 to make a specific POD in the default namespace to contact and external service (it’s a SOAP endpoint on Internet), either using an egress gateway (which I would prefer), or without, as a simpler initial scenario.
My end goal would be to automatically authenticate to the service through TLS, making the gateway transparently add the client certificate and private key. But, for now, I’d be happy to get a 403 forbidden.
Instead, I always get either 503, or 35 (both in my curl and in the istio-proxy sidecar), regardless of the way I configure everything.
Let me underline that the curl works perfectly from any other computer outside this istio deployment, for example from my computer.
This is the command I use from other computers:
curl -vvv --tlsv1.2 --key io.key --cert io.cer -X POST -d '<example>...</example>' https://DST_HOST -H "Content-Type: text/xml"
Normally, the server expects TLS 1.2 connections. If client keys, certs and ca-certs options are not provided, a user simply gets 403.
What I’ve been done with Istio:
I’ve started following the tutorial about Egress Gateways with TLS origination. The default example for cnn works. I simply substitute my hostname (and resources names) to the demo ones, and nothing works…
I’ve followed this other tutorial, which uses the PASSTHROUGH option. Also this one brings to the same results
I’ve followed TLS origination (without egress gateways), here. Also this one brings to the same results.
I’ve activated logs to std out on all Istio PODs. I can share any (anonymized) configuration and log as requested.
Is there anything you could think about? Do you have any suggestion?
Thank you so much,