Well,
I need to configure istio to act as reverse proxy when hit from a certain domain and on a particular route with prefix. I configured the ingressGateway so that that client certs are available on the path /etc/certs
I made sure that the certs are correct because I am able to call the external url using curl and supplying the same certs as present in the istio-ingress gateway. However calling from istio gives the following error
upstream connect error or disconnect/reset before headers. retried and the latest reset reason: connection failure, transport failure reason: TLS error: 268436496:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE 268435610:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO
here are the service Entry, vitual service and the destination rule.
I am at a loss as where the issue is? I am not sure how to get the curl from istio that it is sending to the external host.
here are the certs as present on the istio-ingress pods
kubectl exec -ti istio-ingressgateway-85785df777-l6cxb -n istio-system -- sh
$ cd /etc/certs
$ ls
client_ca.pem client_cert.pem client_key.pem
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: esl-service-entry
namespace: istio-system
spec:
hosts:
- esl.local
location: MESH_EXTERNAL
ports:
- number: 5889
name: https
protocol: HTTPS
resolution: DNS
endpoints:
- address: esldp-sit3-west.corp.foo.com
ports:
https: 5889
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: els-proxy-vs
namespace: istio-system
spec:
hosts:
- dev1.mydomain.com
gateways:
- default/ingress-gateway
http:
- name: vs-proxy1-match
match:
- uri:
prefix: "/locators/"
route:
- destination:
host: esl.local
port:
number: 5889
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: esl-proxy-dr
namespace: istio-system
spec:
host: esl.local
exportTo:
- '.'
trafficPolicy:
tls:
mode: MUTUAL
clientCertificate: /etc/certs/client_cert.pem
privateKey: /etc/certs/client_key.pem
caCertificates: /etc/certs/client_ca.pem