I tried to configure the HTTPS ingress access to an HTTPS service using the below link, https://istio.io/docs/examples/advanced-gateways/ingress-sni-passthrough. The sample given in the istio documentation works fine using my certs.
However if i try to apply the same gateway and virtual service to my use case, i am getting ssl certificate validation error in the browser and even the curl command gives ssl handshake error. In my use case, instead of a nginx server i have a spring boot component with ssl enabled.
My cluster gke version is 1.11.8-gke.6 and i have installed istio by enabling Istio addons in gcloud cluster create command. The istio version installed is 1.0.6-gke.3. Security config is set to MTLS_PERMISSIVE
istio: ingressgateway # use Istio default gateway implementation
apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: myapp-virtual-service spec: hosts: - "service-myapp.x.xx" gateways: - myapp-gateway tls: - match: - port: 443 sni_hosts: - "service-myapp.x.xx" route: - destination: host: myapp port: number: 443
- port: 80
- port: 443
apiVersion: extensions/v1beta1 kind: Deployment metadata: name: myapp namespace: default spec: replicas: 1 selector: matchLabels: app: myapp template: metadata: labels: app: myapp spec: containers: - name: myapp image: x.io/myapp resources: requests: memory: "1024Mi" ports: - containerPort: 12345 env: - name: SERVER_PORT value: "12345" volumeMounts: - name: myapp-keystore mountPath: /keystore - name: myapp-truststore mountPath: /mnt volumes: - name: myapp-keystore secret: secretName: myapp-jks - name: myapp-truststore secret: secretName: myapp-trust-jks
i looked into the logs of istio-ingressgateway. i could see the logs where, it routes the traffic to myapp service and also i could see the logs in envoy side car proxy. But, I don’t see any errors or exceptions in the logs.
Any idea to enable debug logs in ingress-gateway pod and istio-proxy sidecars ?
Any help will be appreciated.