Mutual TLS origination by Egress Gateway

I’m trying to setup an external service with mtls using the example from the istio docs.

Istio is version 1.1.2 deployed with helm.

I’ve redeployed the egress-gateway with the client certificates and added the following (mtls is globally enabled):

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: myservice-ext
  namespace: my-namespace
spec:
  hosts:
  - myservice.domain.local
  ports:
  - number: 80
    name: http-port
    protocol: HTTP
  - number: 443
    name: https
    protocol: HTTPS
  resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: myservice-egressgateway
  namespace: my-namespace
spec:
  selector:
    istio: egressgateway
  servers:
  - port:
      number: 80
      name: https
      protocol: HTTPS
    hosts:
    - myservice.domain.local
    tls:
      mode: MUTUAL
      serverCertificate: /etc/certs/cert-chain.pem
      privateKey: /etc/certs/key.pem
      caCertificates: /etc/certs/root-cert.pem
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: egressgateway-for-myservice-ext
  namespace: my-namespace
spec:
  host: istio-egressgateway.istio-system.svc.cluster.local
  subsets:
  - name: myservice-ext
trafficPolicy:
  loadBalancer:
    simple: ROUND_ROBIN
  portLevelSettings:
  - port:
      number: 80
    tls:
      mode: ISTIO_MUTUAL
      sni: myservice.domain.local
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: direct-myservice-ext-through-egress-gateway
  namespace: my-namespace
spec:
  hosts:
  - myservice.domain.local
  gateways:
  - myservice-egressgateway
  - mesh
  http:
  - match:
- gateways:
  - mesh
  port: 80
route:
- destination:
    host: istio-egressgateway.istio-system.svc.cluster.local
    subset: myservice-ext
    port:
      number: 443
  weight: 100
  - match:
- gateways:
  - myservice-egressgateway
  port: 443
route:
- destination:
    host: myservice.domain.local
    port:
      number: 443
  weight: 100
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: originate-mtls-for-myservice-ext
  namespace: my-namespace
spec:
  host: myservice.domain.local
  trafficPolicy:
loadBalancer:
  simple: ROUND_ROBIN
portLevelSettings:
- port:
    number: 443
  tls:
    mode: MUTUAL
    clientCertificate: /etc/myservice-ext-certs/tls.crt
    privateKey: /etc/myservice-ext-certs/tls.key
    caCertificates: /etc/ca-certs/ca-certs.pem
    sni: myservice.domain.local

I think I followed the example but its not working and I’ve no idea whats wrong or where to debug.

Any hints where to start debugging or whats wrong in my config?

I suspect that your ServiceEntry does not have Istio sidecar.

ISTIO_MUTUAL means mutual tls terminated between Envoy sidecar, requiring both ends having Envoy and are part of Istio mesh.

It’s not intended to use for mtls outside of the mesh(egress in your case)

So the DestinationRule should look like this?

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: egressgateway-for-my-service
  namespace: my-namespace
spec:
  host: istio-egressgateway.istio-system.svc.cluster.local
  subsets:
  - name: my-service
    trafficPolicy:
      loadBalancer:
        simple: ROUND_ROBIN
      portLevelSettings:
      - port:
          number: 80
        tls:
          mode: DISABLE
          sni: myservice.domain.local

This is not working neither, I get a 503 and ‘upstream connect error or disconnect/reset before headers’.