I am trying to configure Egress TLS for TCP without an Egress gateway.
More precisely I want to use a ‘non secure’ traffic on some IP using a non secure port in my application and configure istio to upgrade this to a secure traffic on the same IP but on a secure port (think of LDAP/389 and LDAPS/636).
I do something like that:
apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: my-service-entry spec: hosts: - my.host addresses: - IP/32 ports: - number: PORT name: tcp protocol: TCP - number: PORT_SECURE name: tcp-secure protocol: TCP location: MESH_EXTERNAL resolution: NONE --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: my-virtual-service spec: hosts: - my.host tcp: - match: - port: PORT route: - destination: host: my.host subset: tls-origination port: number: PORT_SECURE --- apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: my-destination-rule spec: host: my.host subsets: - name: tls-origination trafficPolicy: portLevelSettings: - port: number: PORT_SECURE tls: mode: SIMPLE
When I send traffic to PORT I do see that the traffic is ‘upgraded’ to TLS but the outgoing port is still PORT and not then PORT_SECURE.
I am probably doing something wrong. Any idea?
Note that if I do not create the VirtualService and use the PORT_SECURE from my application, but still sending non TLS traffic, then it works.
Ideally I would like my application to not have to know that TLS is used and thus use the non secure port.
Note that for external incoming traffic, I can configure a gateway/virtual service that will terminate TLS and map the port.