Can someone help me to piece together https://istio.io/docs/reference/config/networking/envoy-filter/ and https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/auth/cert.proto to allow tls_renegotiation on a specific outgoing domain via egress mtls origination?
I have several 3rd party services for which istio mtls origination via egress gateway works flawlessly and am debugging one that doesnt. istio retries 3 times, throws 503UC.
I am struggling to piece together a config snippet to allow renegotation for this specific route (single domain, egress mtls origination)
unfortunately i cannot figure out valid use case out of istio documentation page.
(my personal feeling is that https://istio.io/docs/reference/config/networking/envoy-filter/ is targeted at istio-developers rather than users. The amount of permutations/options to brute-force thru is gargantuan and the page really doesnt care to explain the constructs. I cant be the only person thinking that about istio docs, am i?)
2020-02-26 22:22:20.817][debug][connection] [external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:201] [C112] TLS error: 268435638:SSL routines:OPENSSL_internal:NO_RENEGOTIATION 268435650:SSL routines:OPENSSL_internal:PROTOCOL_IS_SHUTDOWN
[2020-02-26 22:22:20.817][debug][client] [external/envoy/source/common/http/codec_client.cc:82] [C112] disconnect. resetting 1 pending requests
[2020-02-26 22:22:20.817][debug][client] [external/envoy/source/common/http/codec_client.cc:105] [C112] request reset
apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: allow-tls-renegotiation spec: workloadSelector: labels: istio: egressgateway configPatches: - applyTo: FILTER_CHAIN match: context: GATEWAY listener: filterChain: sni: <domain> patch: operation: MERGE value: transport_socket: name: tls typed_config: "@type": type.googleapis.com/envoy.api.v2.auth.UpstreamTlsContext allow_renegotiation: true
Thanks for all help!