I try to make mTLS connection between my k8s cluster and an external endpoint. Between k8s cluster and the endpoint and have VNP. I can reach the endpoint from the cluster using curl -v http://myurl.exapmle.com --cacert /etc/sleep/tls/ca.crt --cert /etc/sleep/tls/tls.crt --key /etc/sleep/tls/tls.key and I get the answer which I expect
< HTTP/1.1 404
< Server: nginx
< Date: Wed, 09 Mar 2022 12:11:57 GMT
< Content-Type: application/json
< Transfer-Encoding: chunked
< Connection: keep-alive
...
When I try to set up mTLS using ISTIO. How is described there Istio / Egress Gateways with TLS Origination
It is working how it is in the doc but it doesn’t work for my endpoint http://myurl.exapmle.com
The real URL was changed to an example.
My config is:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: mtls-gateway-egressgateway
namespace: istio-system
spec:
selector:
app: egressgateway
istio: egressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- myurl.exapmle.com
tls:
mode: ISTIO_MUTUAL
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: egressgateway-for-pkvc-test
namespace: istio-system
spec:
host: egressgateway.istio-system.svc.cluster.local
subsets:
- name: pkvc-test
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 443
tls:
mode: ISTIO_MUTUAL
sni: myurl.exapmle.com
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: direct-pkvc-test-through-egress-gateway
namespace: istio-system
spec:
hosts:
- myurl.exapmle.com
gateways:
- mtls-gateway-egressgateway
- mesh
http:
- match:
- gateways:
- mesh
port: 80
route:
- destination:
host: egressgateway.istio-system.svc.cluster.local
subset: pkvc-test
port:
number: 443
weight: 100
- match:
- gateways:
- mtls-gateway-egressgateway
port: 443
route:
- destination:
host: myurl.exapmle.com
port:
number: 443
weight: 100
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: originate-mtls-for-pkvc-test
namespace: istio-system
spec:
host: myurl.exapmle.com
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 443
tls:
mode: MUTUAL
credentialName: client-pkvc-test # this must match the secret created earlier to hold client certs
sni: myurl.exapmle.com
---
apiVersion: v1
data:
ca.crt: SOMEDATA
tls.crt: SOMEDATA
tls.key: SOMEDATA
kind: Secret
metadata:
name: client-pkvc-test
namespace: istio-system
The error which I have faced.
kubectl exec "$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})" -c sleep -- sh -c "curl -v http://myurl.exapmle.com/api/rest/epa/v2/records/..."
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 10.21.201.189:80...
* Connected to myurl.exapmle.com (10.21.201.189) port 80 (#0)
> GET /api/rest/epa/v2/records/... HTTP/1.1
> Host: myurl.exapmle.com
> User-Agent: curl/7.81.0-DEV
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 503 Service Unavailable
< date: Wed, 09 Mar 2022 12:17:35 GMT
< server: envoy
< content-length: 0
< x-envoy-upstream-service-time: 52
<
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
* Connection #0 to myurl.exapmle.com left intact
Egress logs
[2022-03-09T12:17:35.844Z] "GET /api/rest/epa/v2/records/... HTTP/1.1" 503 NC cluster_not_found - "-" 0 0 0 - "10.245.58.251" "curl/7.81.0-DEV" "f58ca363-14c0-4b74-b34c-396cd81243e8" "myurl.exapmle.com" "-" - - 10.245.140.166:8443 10.245.58.251:55694 myurl.exapmle.com -
Logs from istio-proxy (the sleep pod was meshed)
[2022-03-09T12:17:35.793Z] "GET /api/rest/epa/v2/records/... HTTP/1.1" 503 URX via_upstream - "-" 0 0 52 52 "-" "curl/7.81.0-DEV" "f58ca363-14c0-4b74-b34c-396cd81243e8" "myurl.exapmle.com" "10.245.140.166:8443" outbound|443|pkvc-test|egressgateway.istio-system.svc.cluster.local 10.245.58.251:55694 10.21.201.189:80 10.245.58.251:39536 - -
$ istioctl version
client version: 1.12.1
control plane version: 1.12.2
data plane version: 1.12.2 (6 proxies)
