HTTPS for ALB ingress gateway and Istio ingress gateway

I can successfully setup an AWS ALB ingress gateway with HTTPS inbound terminating at the ALB, and use HTTP from the ALB to the Istio ingress gateway. However, it fails when I setup HTTPS from the ALB to the Istio ingress gateway with a 502 bad gateway.

I installed Istio with the AWS ALB ingress gateway, following the instructions here to install Istio with the sds profile, modifying the values-istio-sds-auth.yaml file based on these instructions to override the sds profile with the following settings:

  • set global.k8sIngressSelector=ingressgateway
  • set ingress.enable=false
  • set gateways.enabled=true, gateways.istio-ingressgateway.type=NodePort

Next, I followed these instructions to setup the ALB ingress controller:

Next, I followed instructions here to create and apply the following Ingress manifest

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: istio-ingress
  namespace: istio-system
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:699727076305:certificate/7ec44e83-467d-4c21-b154-a1b04775483f
spec:
  rules:
    - http:
        paths:
          - path: /*
            backend:
              serviceName: istio-ingressgateway
              servicePort: 443

After setup, I ran through these instructions to test ingress to the httpbin example successfully. I was able to get to it through the browser and with curl.

Finally, I followed these instructions to setup the Istio ingress gateway with HTTPS using the SDS to manage the cert. This is where the testing fails. It failed to connect to the server when I used the following to get the INGRESS_HOST for NodePort:

export INGRESS_HOST=$(kubectl get po -l istio=ingressgateway -n istio-system -o jsonpath=’{.items[0].status.hostIP}’)

So I shelled into a container in the namespace and got the following error running curl:

curl: (35) Unknown SSL protocol error in connection

When I test through the browser, I get a 502 Bad Gateway error.

Thanks for your help,
Bill