@spikecurtis thanks for taking time for this. Let me try to rephrase what I’m trying to accomplish.
When an external client on the internet connects to one of our services like coolsvc.cooldomain.net. We want the SSL cert provided back to the client to be our AWS wildcard cert that is configured in the elb asociated with the kubernetes service istio-ingressgateway in the istio-system namespace. The ELB in turn will create a connection with the istio-ingressgateway pod which is configured for SSL using a wildcard cert from our local CA.
So the clients on the internet get an SSL certificate from a well known CA but we also have encryption between the ELB and the istio-ingressgateway pod.
Using SSL at the ELB and in a pod works fine outside of istio. Trying to get this to work with the istio ingressgateway has been challenging.
From an client perspective the connection to the ELB works fine. But between the ELB and istio-ingressgateway pod something is happening. I’ve captured packets and can see the requests come into the instance but then a timeout occurs and curl exits with an HTTP 408.
I changed the gateway object for some testing and changed the hosts to “*” and then traffic started working. To me it feels like the traffic is getting into the ingress gateway and just not getting associated with the gateway. Does any of this make you think of something I have misconfigured or do you know the best way to enable some debug logging in the ingress-gateway pod to see what’s happening?
I have a pretty detailed post here How to terminate SSL at ELB and at istio ingressgateway that goes into details of the configurations of the various components.