Hello, I installed Istio via the Istio Operator and have the following versions:
control plane version: 1.8.1
data plane version: 1.8.1 (9 proxies
I want to configure the egress request routing for a wildcard host with Istio. I created the following ServiceEntry:
apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: google spec: hosts: - "*.google.com" ports: - number: 443 name: https protocol: HTTPS resolution: NONE location: MESH_EXTERNAL
Doing a request from inside a container in the same namespace works fine:
# curl -sSI https://www.google.com | grep "HTTP/" HTTP/2 200
Istio Sidecar logs:
[2021-06-23T07:28:22.764Z] "- - -" 0 - "-" 888 4698 32 - "-" "-" "-" "-" "188.8.131.52:443" outbound|443||*.google.com 10.16.4.11:33624 184.108.40.206:443 10.16.4.11:33622 www.google.com -
Now I want to also use mTLS with a custom certificate I have injected in the file system of the Istio sidecar.
apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: dwc-domain-wildcard-egress-dr namespace: dwc-dev-dev spec: host: "*.google.com" trafficPolicy: portLevelSettings: - port: number: 443 tls: mode: MUTUAL clientCertificate: /etc/dwc/certs/tls.crt privateKey: /etc/dwc/certs/tls.key caCertificates: /etc/ssl/certs/ca-certificates.crt
Output of the same request (with the DestinationRule) applied:
# curl -sSI https://www.google.com -v * Trying 220.127.116.11:443... * TCP_NODELAY set * Connected to www.google.com (18.104.22.168) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * error:1408F10B:SSL routines:ssl3_get_record:wrong version number * Closing connection 0 curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
Istio Sidecar container logs:
2021-06-23T07:30:41.161797Z info sds resource:file-cert:/etc/dwc/certs/tls.crt~/etc/dwc/certs/tls.key new connection 2021-06-23T07:30:41.161812Z info sds resource:file-root:/etc/ssl/certs/ca-certificates.crt new connection 2021-06-23T07:30:41.161942Z info sds Skipping waiting for gateway secret 2021-06-23T07:30:41.161942Z info sds Skipping waiting for gateway secret 2021-06-23T07:30:41.162262Z info cache GenerateSecret from file file-cert:/etc/dwc/certs/tls.crt~/etc/dwc/certs/tls.key 2021-06-23T07:30:41.162292Z info cache GenerateSecret from file file-root:/etc/ssl/certs/ca-certificates.crt 2021-06-23T07:30:41.162411Z info sds resource:file-cert:/etc/dwc/certs/tls.crt~/etc/dwc/certs/tls.key pushed key/cert pair to proxy 2021-06-23T07:30:41.162488Z info sds resource:file-root:/etc/ssl/certs/ca-certificates.crt pushed root cert to proxy [2021-06-23T07:30:56.278Z] "- - -" 0 - "-" 517 179 25 - "-" "-" "-" "-" "22.214.171.124:443" outbound|443||*.google.com 10.16.4.11:34582 126.96.36.199:443 10.16.4.11:34580 www.google.com -
Please note that in my requirements a wildcard host is needed, as the fqdn isn’t known during the istio configuration.