I am trying to set up a cluster with Istio on it. I have deployed Istio with SDS and Mutual TLS. This results in the following destinationrule:
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
annotations:
generation: 1
labels:
app: security
chart: security
heritage: Tiller
release: istio
name: default
namespace: ""
resourceVersion: ""
selfLink: /apis/networking.istio.io/v1alpha3/namespaces/istio-system/destinationrules/default
uid: ""
spec:
host: '*.local'
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
However, I am not able to connect to my gateway as long as the mode is ISTIO_MUTUAL. All I see in the logs of the istio-ingressgateway is:
[2019-07-15 13:55:47.875][31][debug][pool] [external/envoy/source/common/http/http1/conn_pool.cc:129] [C30102] client disconnected, failure reason: TLS error: 268435703:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER
[2019-07-15 13:55:47.875][31][debug][pool] [external/envoy/source/common/http/http1/conn_pool.cc:164] [C30102] purge pending, failure reason: TLS error: 268435703:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER
[2019-07-15 13:55:47.875][31][debug][router] [external/envoy/source/common/router/router.cc:671] [C30099][S12459294470605007068] upstream reset: reset reason connection failure
[2019-07-15 13:55:47.875][31][debug][http] [external/envoy/source/common/http/conn_manager_impl.cc:1137] [C30099][S12459294470605007068] Sending local reply with details upstream_reset_before_response_started{connection failure,TLS error: 268435703:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER}
Since I am using SDS there aren’t any certificates in ingressgateway-certs (see https://istio.io/docs/tasks/security/auth-sds/#verifying-no-secret-volume-mounted-file-is-generated) as it is described in https://istio.io/docs/tasks/traffic-management/ingress/secure-ingress-mount/
Can anyone point me to the correct configuration or help me debug the issue?
Best regards,
stiller-leser