I am trying to configure Egress TLS for TCP without an Egress gateway.
More precisely I want to use a ‘non secure’ traffic on some IP using a non secure port in my application and configure istio to upgrade this to a secure traffic on the same IP but on a secure port (think of LDAP/389 and LDAPS/636).
I do something like that:
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: my-service-entry
spec:
hosts:
- my.host
addresses:
- IP/32
ports:
- number: PORT
name: tcp
protocol: TCP
- number: PORT_SECURE
name: tcp-secure
protocol: TCP
location: MESH_EXTERNAL
resolution: NONE
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: my-virtual-service
spec:
hosts:
- my.host
tcp:
- match:
- port: PORT
route:
- destination:
host: my.host
subset: tls-origination
port:
number: PORT_SECURE
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: my-destination-rule
spec:
host: my.host
subsets:
- name: tls-origination
trafficPolicy:
portLevelSettings:
- port:
number: PORT_SECURE
tls:
mode: SIMPLE
When I send traffic to PORT I do see that the traffic is ‘upgraded’ to TLS but the outgoing port is still PORT and not then PORT_SECURE.
I am probably doing something wrong. Any idea?
Note that if I do not create the VirtualService and use the PORT_SECURE from my application, but still sending non TLS traffic, then it works.
Ideally I would like my application to not have to know that TLS is used and thus use the non secure port.
Note that for external incoming traffic, I can configure a gateway/virtual service that will terminate TLS and map the port.