Can someone help me to piece together https://istio.io/docs/reference/config/networking/envoy-filter/ and https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/auth/cert.proto to allow tls_renegotiation on a specific outgoing domain via egress mtls origination?
I have several 3rd party services for which istio mtls origination via egress gateway works flawlessly and am debugging one that doesnt. istio retries 3 times, throws 503UC.
I am struggling to piece together a config snippet to allow renegotation for this specific route (single domain, egress mtls origination)
unfortunately i cannot figure out valid use case out of istio documentation page.
(my personal feeling is that https://istio.io/docs/reference/config/networking/envoy-filter/ is targeted at istio-developers rather than users. The amount of permutations/options to brute-force thru is gargantuan and the page really doesnt care to explain the constructs. I cant be the only person thinking that about istio docs, am i?)
2020-02-26 22:22:20.817][55][debug][connection] [external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:201] [C112] TLS error: 268435638:SSL routines:OPENSSL_internal:NO_RENEGOTIATION 268435650:SSL routines:OPENSSL_internal:PROTOCOL_IS_SHUTDOWN
[2020-02-26 22:22:20.817][55][debug][client] [external/envoy/source/common/http/codec_client.cc:82] [C112] disconnect. resetting 1 pending requests
[2020-02-26 22:22:20.817][55][debug][client] [external/envoy/source/common/http/codec_client.cc:105] [C112] request reset
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: allow-tls-renegotiation
spec:
workloadSelector:
labels:
istio: egressgateway
configPatches:
- applyTo: FILTER_CHAIN
match:
context: GATEWAY
listener:
filterChain:
sni: <domain>
patch:
operation: MERGE
value:
transport_socket:
name: tls
typed_config:
"@type": type.googleapis.com/envoy.api.v2.auth.UpstreamTlsContext
allow_renegotiation: true
Thanks for all help!
