Https only backend service

Sebastian_Maj · January 15, 2022, 9:56pm

Folks,

I’m looking for some guidance on how to configure sidecar to talk to the backend service that only understands https. By design, all traffic between the sidecar and the service is plaintext, which results in upstream connect error or disconnect/reset before headers. reset reason: connection failure , since the service expects TLS handshake.

From the sidecar I can execute:

istio-proxy@playground-vdev2-cm-all-1-5dbcff567c-wtpsc:/$ curl -v -s -o /dev/null -k https://localhost:8443
*   Trying 127.0.0.1:8443...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8443 (#0)
...
< HTTP/1.1 200 OK
< Server: nginx/1.20.2
< Date: Sat, 15 Jan 2022 21:23:09 GMT
< Content-Type: text/html
< Content-Length: 612
< Last-Modified: Tue, 16 Nov 2021 14:44:02 GMT
< Connection: keep-alive
< ETag: "6193c3b2-264"
< Accept-Ranges: bytes

I reckon the envoy can be forced to use TLS by using EnvoyFilter but I have no idea how it should look like.

Any help appreciated.

Rob_Mason · February 9, 2022, 9:07am

When you say. backend-service is that another k8s service in the mesh, something external to the mesh or the application container in the kubernetes pod?
From your curl I suspect its the latter. If that is the case I believe you should be configuring your app container to be plaintext(HTTP) . Thats pretty much the idea in istio , the proxy takes care of tls initiation and termination so you have TLS between pod boundaries and plaintext between proxy and application within the pod (which is an in memory xfer)

Topic		Replies	Views
TLS Handling from Envoy Security	2	618	November 3, 2020
Istio pod to pod mTLS Security	3	2736	July 2, 2020
Pod with Sidecar Fails SSL with External Service	4	2135	August 20, 2019
Is TLS used between istio ingressgateway pod and service pod?	2	1686	February 6, 2019
TLS termination at edge Envoy (with nginx pod)	0	617	February 26, 2019

Https only backend service

Related topics