Hello, I installed Istio via the Istio Operator and have the following versions:
control plane version: 1.8.1
data plane version: 1.8.1 (9 proxies
I want to configure the egress request routing for a wildcard host with Istio. I created the following ServiceEntry:
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: google
spec:
hosts:
- "*.google.com"
ports:
- number: 443
name: https
protocol: HTTPS
resolution: NONE
location: MESH_EXTERNAL
Doing a request from inside a container in the same namespace works fine:
# curl -sSI https://www.google.com | grep "HTTP/"
HTTP/2 200
Istio Sidecar logs:
[2021-06-23T07:28:22.764Z] "- - -" 0 - "-" 888 4698 32 - "-" "-" "-" "-" "142.250.184.196:443" outbound|443||*.google.com 10.16.4.11:33624 142.250.184.196:443 10.16.4.11:33622 www.google.com -
Now I want to also use mTLS with a custom certificate I have injected in the file system of the Istio sidecar.
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: dwc-domain-wildcard-egress-dr
namespace: dwc-dev-dev
spec:
host: "*.google.com"
trafficPolicy:
portLevelSettings:
- port:
number: 443
tls:
mode: MUTUAL
clientCertificate: /etc/dwc/certs/tls.crt
privateKey: /etc/dwc/certs/tls.key
caCertificates: /etc/ssl/certs/ca-certificates.crt
Output of the same request (with the DestinationRule) applied:
# curl -sSI https://www.google.com -v
* Trying 142.250.184.196:443...
* TCP_NODELAY set
* Connected to www.google.com (142.250.184.196) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
Istio Sidecar container logs:
2021-06-23T07:30:41.161797Z info sds resource:file-cert:/etc/dwc/certs/tls.crt~/etc/dwc/certs/tls.key new connection
2021-06-23T07:30:41.161812Z info sds resource:file-root:/etc/ssl/certs/ca-certificates.crt new connection
2021-06-23T07:30:41.161942Z info sds Skipping waiting for gateway secret
2021-06-23T07:30:41.161942Z info sds Skipping waiting for gateway secret
2021-06-23T07:30:41.162262Z info cache GenerateSecret from file file-cert:/etc/dwc/certs/tls.crt~/etc/dwc/certs/tls.key
2021-06-23T07:30:41.162292Z info cache GenerateSecret from file file-root:/etc/ssl/certs/ca-certificates.crt
2021-06-23T07:30:41.162411Z info sds resource:file-cert:/etc/dwc/certs/tls.crt~/etc/dwc/certs/tls.key pushed key/cert pair to proxy
2021-06-23T07:30:41.162488Z info sds resource:file-root:/etc/ssl/certs/ca-certificates.crt pushed root cert to proxy
[2021-06-23T07:30:56.278Z] "- - -" 0 - "-" 517 179 25 - "-" "-" "-" "-" "142.250.184.196:443" outbound|443||*.google.com 10.16.4.11:34582 142.250.184.196:443 10.16.4.11:34580 www.google.com -
Please note that in my requirements a wildcard host is needed, as the fqdn isn’t known during the istio configuration.