I have a cluster that use Nginx Ingress and , and enabled auto MTLS for all services.
The internal services are all communicated fine with MTLS enabled and proper Peer Authentication policy applied, but i got an issue specifically for this communication link.
–> AWS ALB ----> Nginx Ingress Controller ----> Service
- default (injected with envoy sidecar). Applied with Peer Authentication Policy
- nginx-ingress (injected with envoy sidecar). No Policy applied
Updated with nginx-ingress-controller logs
2020/06/12 07:25:27 [error] 38#38: *5190 SSL_do_handshake() failed (SSL: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:SSL alert number 40) while SSL handshaking to upstream, client: 220.127.116.11, server: service.somewhere.com, request: "GET /admin/console.html HTTP/1.1", upstream: "https://10.100.xx.xx:443/admin/console.html", host: "service.somewhere.com"
When i remove the peer authentication policy for default namespace, the route works.
I think i do need some extra set-up or configuratio for non-istio ingress controller right? Appreciate if anyone can point me to a guide or reference