Hi there,
I want to use AWS ALB to offload my ssl. I want to use an official Amazon certificate for that. In my backend, which is served by istio-ingressgateway I will use self signed certificates to encrypt the connection from ALB to istio-ingressgateway.
Overview:
Client → ALB offloading TLS → ALB opens new TLS connection to istio-ingressgateway — —> istio-ingressgateway
Unfortunately ALB doesn’t support SNI to the backends. Is it possible to connect to the istio-ingressgateway with a kind of default certificate and then select the service via host header?
Best regards
Fabian
This is my configuration of one service. The other services are configured the same way but with other host. Without ALB the services are reachable directly via istio-ingressgateway.
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: echoserver-tls-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: echoserver-tls-credential
hosts:
- "echoserver-tls.example.com"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: echoserver-tls
spec:
hosts:
- "echoserver-tls.example.com"
gateways:
- echoserver-tls-gateway
http:
- match:
- uri:
prefix: /
route:
- destination:
port:
number: 80
host: echoserver-tls