Mtls not working when service port and targetport are different

subaksh · June 15, 2021, 2:33pm

Hi,

Im trying the mtls demo and have STRICT mode enabled globally. I have foo, bar, and legacy namespaces configured.

I have the service configured so port and targetPort are different

  - name: http
    port: 8080
    targetPort: 8001
  selector:
    app: httpbin

When I do a curl -v http://httpbin.foo:8080/ip from the sleep pod, the connection gets rejected with 503, and looking at the envoy logs, I can see closing connection: no matching filter chain found on the receiving envoy.

However, the connection works when I have the set the same port and targetPort or if I remove the STRICT peerauthenitcation rule.

Any help as to what is happening, and how to debug would be greatly appreciated!

Here are the envoy listeners from receiving proxy:

0.0.0.0       15006 Trans: tls; Addr: *:8001                                                 Cluster: inbound|8001||

And on the sending proxy:

0.0.0.0       8080  Trans: raw_buffer; App: HTTP                                             Route: 8080
0.0.0.0       8080  ALL                                                                      PassthroughCluster

Topic		Replies	Views
Calls From Envoy Proxy With mTLS Strict Mode Security	1	489	October 31, 2022
Envoy MTLS remote cluster	0	286	August 18, 2021
TLS inside pod?	0	319	January 26, 2020
Istio \| Envoy Proxy Problem: 0 NR filter_chain_not_found \| TCP - Python Socket Client and Socket Server in one cluster (MESH_INTERNAL) Networking	4	6740	February 27, 2023
SSL errors appearing in trace-level logs of envoy	0	1824	April 25, 2020

Mtls not working when service port and targetport are different

Related Topics