I’m looking for some guidance on how to configure sidecar to talk to the backend service that only understands https. By design, all traffic between the sidecar and the service is plaintext, which results in
upstream connect error or disconnect/reset before headers. reset reason: connection failure , since the service expects TLS handshake.
From the sidecar I can execute:
istio-proxy@playground-vdev2-cm-all-1-5dbcff567c-wtpsc:/$ curl -v -s -o /dev/null -k https://localhost:8443 * Trying 127.0.0.1:8443... * TCP_NODELAY set * Connected to localhost (127.0.0.1) port 8443 (#0) ... < HTTP/1.1 200 OK < Server: nginx/1.20.2 < Date: Sat, 15 Jan 2022 21:23:09 GMT < Content-Type: text/html < Content-Length: 612 < Last-Modified: Tue, 16 Nov 2021 14:44:02 GMT < Connection: keep-alive < ETag: "6193c3b2-264" < Accept-Ranges: bytes
I reckon the envoy can be forced to use TLS by using EnvoyFilter but I have no idea how it should look like.
Any help appreciated.