GRPC with self-signed certificate

1

Hello ,
I have an issue with exposing GRPC with self-signed certificate to the world via Istio.
the poc looks like this :

image
image1035×350 19.7 KB

The server unencrypts the traffic with the key it holds.
so its GRPC with TLS.

Gateway

apiVersion: networking.istio .io/v1alpha3
kind: Gateway
metadata:
name: test-gw
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:

  • port:
    number: 443
    name: grpc
    protocol: GRPC # Tried also HTTPS\TLS
    hosts:

VirtualService

apiVersion: networking.istio .io/v1alpha3
kind: VirtualService
metadata:
name: test-vs
namespace: grpc-ns
spec:
hosts:

  • test.domain.com
    gateways:
  • istio-system/test-gw
    tls:
  • match:
    • port: 443
      sniHosts:
    • destination:
      host: grpc-server.grpc-ns.svc.cluster.local
      port:
      number: 8090

Istio Ingressgateway logs
When i do the request from the client

[2020-12-09T14:33:45.166Z] “- - -” 0 - “-” “-” 285 0 1 - “-” “-” “-” “-” “10.2.0.205:8090” outbound|8090||grpc-server.grpc-ns.svc.cluster.local 10.2.3.46:43960 10.2.11.42:443

Client Logs

2020/12/09 17:58:16 Loss contact with cloud or internet: rpc error: code = Unavailable desc = connection error: desc = “transport: authentication handshake failed: EOF”

I don`t see any log in the istio-proxy container on grpc-server which means i cannot let it pass the gateway .
with no TLS everything is working great.

Any Ideas what I missed ?.

Thank you

2

Try using TCP as the protocol.

3

Hey Nick
a plaintext connection (i.e. TCP without TLS) between an external client and the server works.
when I add the TLS it breaks

4

im saying to tell the istio gateway that port 443 is TCP. You can still do TLS and sni routing i believe.

if you want to do TLS passthough, the only 2 protocols you can use on the gateway port is TCP or TLS