I have an external domain, r3t.io, and an internal domain, reboot3times.org. I generally prefer to terminate TLS after traffic has passed through the router, before it’s handed off to an internal service (outside the cluster), which doesn’t have TLS enabled but listens on port 8080. I’m able to terminate TLS with both Traefik and Nginx just fine, but I don’t think I quite understand where I’ve broken my Istio config (still learning).
This is my config:
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: airport-proxy
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:
- port:
number: 443
name: tls
protocol: TLS
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
httpsRedirect: true
hosts:
- "airport.r3t.io"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: airport
spec:
hosts:
- airport.r3t.io
gateways:
- airport-proxy
tls:
- match:
- gateways:
- airport-proxy
port: 443
sni_hosts:
- airport.r3t.io
route:
- destination:
host: airport.r3t.io
port:
number: 8080
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: airport-http
spec:
hosts:
- airport.r3t.io
ports:
- number: 8080
name: http-external
protocol: HTTP
location: MESH_EXTERNAL
resolution: DNS
endpoints:
- address: airport.reboot3times.org
ports:
http-external: 8080
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: airport-dr
spec:
host: airport.reboot3times.org
trafficPolicy:
portLevelSettings:
- port:
number: 8080
tls:
mode: DISABLE
This is the error I get when I try to reach the external service:
curl -v https://airport.r3t.io
* Rebuilt URL to: https://airport.r3t.io/
* Trying 174.29.33.129...
* TCP_NODELAY set
* Connected to airport.r3t.io (174.29.33.129) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to airport.r3t.io:443
* stopped the pause stream!
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to airport.r3t.io:443
I was able to successfully deploy the Ingress Gateway with SDS (File Mount) httpbin example, you can see the teapot here. I’m not quite sure what I’m doing wrong, I would like to terminate TLS at the gateway and then hand the unencrypted traffic off to the internal service (outside the cluster).