@Illidan we were tasked with the same challenge two days ago. Looking at this thread helped, but did not solve our problems completely. In the end we got it working after following the Istio guide for TLS origination and then adapting it to our use case.
- number: 80
- number: 443
- address: vpc-xxxxxxxxx..amazonaws.com
- port: 80
# subset: tls-origination
# - name: tls-origination
mode: SIMPLE # initiates HTTPS
A few changes were made from the Istio guide:
@willian.campos’s suggestion was followed and the fully qualified domain was replaced with aws.local for the “internal host”
- The subset definition was removed from the destination rule. Kiali was warning that the kibana virtual service could not access the subset, and there was only one, so it was safe to remove.
At this point I was able to
curl http://vpc-xxxxxxxxx..amazonaws.com from the
Sleep Pod and achieve the same result as
curl https://vpc-xxxxxxxxx..amazonaws.com meaning that the TLS origination was working.
The last thing to do was create another virtual service that would attach to the ingress gateway. Please note that our ingress gateway is performing TLS termination. The virtual service looked like this:
And that completed the POC for us. I’m aware that this solution might have it’s own problems, but I hope it helps.
PS: have you tried to use AWS Cognito to provide a public entry point to Kibana. I’m not sure if it fits your use case, but it might make lives easier.
We had the following setting enabled:
Within the elastic search AWS console:
Actions -> Modify encryptions
Toggling this could help with debugging.