I am trying to implement Istio for some workloads that are already working in Kubernetes. I have encountered one case where an existing workload fails with Istio. I want to make sure I have the correct understanding. Here’s a diagram.
The top user request path is working. The request successfully goes through the Apache reverse proxy to the external workload and is returned as expected.
The lower path is what I understand is happening in Istio. I know that the traffic is making it to the Apache container, and I think when it makes the call to the external workload, that request goes through the Envoy proxy. My first question is whether this is correct?
If my understanding is correct, then I need to figure out why the request shown by the red arrow is failing. Here is a snippet from the Apache logs.
[Wed Aug 21 21:44:07.857888 2019] [proxy:error] [pid 8:tid 139724907849472] (20014)Internal error (specific information not available): [client 127.0.0.1:34160] AH01084: pass request body failed to 192.168.15.50:443 (dev10.hprt.com), referer: https://story-6421.api.cicd.k8s.com/ [Wed Aug 21 21:44:07.858016 2019] [proxy:error] [pid 8:tid 139724907849472] [client 127.0.0.1:34160] AH00898: Error during SSL Handshake with remote server returned by /favicon.ico, referer: https://story-6421.api.cicd.k8s.com/ [Wed Aug 21 21:44:07.858024 2019] [proxy_http:error] [pid 8:tid 139724907849472] [client 127.0.0.1:34160] AH01097: pass request body failed to 192.168.15.50:443 (dev10.hprt.com) from 127.0.0.1 (), referer: https://story-6421.api.cicd.k8s.com/
I know SSL is setup correctly on
dev10.hprt.com, so I think Apache must be having a problem with Envoy. I found some threads about how to fix this error in Apache, which is usually caused by a bad certificate or SSL configuration (e.g. https://serverfault.com/questions/538086/proxyerror-ah00898-error-during-ssl-handshake-with-remote-server), but even when I add those configuration changes to ignore and not validate, I get the same error.
Is it possible to achieve what I’m trying to do? Can egress be configured to just pass through the request and not attempt to terminate SSL?