UPDATE: Resolved. SSL Issue. IP address not acceptable even if host domain is passed in header. Must use domain name.
So I am have end to end http to grpc call working using http and I am now trying it with https. TLS
But I am getting error:
Connecting socket to /10.10.6.28:31390 with timeout 0
Here is full setup:
22:31:24.567 [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection request: [route: {s}->https://10.10.6.28:31390][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
22:31:24.590 [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection leased: [id: 0][route: {s}->https://10.10.6.28:31390][total kept alive: 0; route allocated: 1 of 2; total allocated: 1 of 20]
22:31:24.592 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Opening connection {s}->https://10.10.6.28:31390
22:31:24.596 [main] DEBUG org.apache.http.impl.conn.DefaultHttpClientConnectionOperator - Connecting to /10.10.6.28:31390
22:31:24.596 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Connecting socket to /10.10.6.28:31390 with timeout 0
22:31:24.791 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Enabled protocols: [TLSv1, TLSv1.1, TLSv1.2]
22:31:24.792 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Enabled cipher suites:[TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
…
…
22:31:24.792 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Starting handshake
22:31:24.830 [main] DEBUG org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-0: Shutdown connection
22:31:24.830 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection discarded
22:31:24.831 [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection released: [id: 0][route: {s}->https://10.10.6.28:31390][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
22:31:24.831 [main] INFO org.apache.http.impl.execchain.RetryExec - I/O exception (java.net.SocketException) caught when processing request to {s}->https://10.10.1.77:31390: Connection reset
22:31:24.835 [main] DEBUG org.apache.http.impl.execchain.RetryExec - Connection reset
java.net.SocketException: Connection reset
Here is gateway kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: grpc-tls-gateway
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
hosts: - “mydomain.com”
EOF
I do have keys installed on the ingress in istio-system and properly referenced:
Here is virtualservice:
Spec:
Gateways:
grpc-tls-gateway
Hosts:
mydomain.com
Http:
Match:
Uri:
Prefix: /com.test.echo.EchoService/echo
Route:
Destination:
Host: echo
Port:
Number: 9009
Is there a EnvoyFilter of type:HTTPS or just HTTP because my bridge filter is type HTTP?
Here is what I have now:
create an EnvoyFilter
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: echo-filtering
spec:
workloadLabels:
app: echo
filters:
- listenerMatch:
portNumber: 9009
listenerType: SIDECAR_INBOUND
insertPosition:
index: BEFORE
relativeTo: envoy.router
filterName: envoy.grpc_http1_bridge
filterType: HTTP
filterConfig:
services: - com.test.echo.EchoService
Lasly I am using etc/hosts file with entry of
on the client that makes the call. The client works fine for http but not when I adjust for https for some reason.
10.10.6.28 mydomain.com