I have an external domain, r3t.io, and an internal domain, reboot3times.org. I generally prefer to terminate TLS after traffic has passed through the router, before it’s handed off to an internal service (outside the cluster), which doesn’t have TLS enabled but listens on port 8080. I’m able to terminate TLS with both Traefik and Nginx just fine, but I don’t think I quite understand where I’ve broken my Istio config (still learning).
This is my config:
--- apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: airport-proxy spec: selector: istio: ingressgateway # use istio default ingress gateway servers: - port: number: 443 name: tls protocol: TLS tls: mode: SIMPLE serverCertificate: /etc/istio/ingressgateway-certs/tls.crt privateKey: /etc/istio/ingressgateway-certs/tls.key httpsRedirect: true hosts: - "airport.r3t.io" --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: airport spec: hosts: - airport.r3t.io gateways: - airport-proxy tls: - match: - gateways: - airport-proxy port: 443 sni_hosts: - airport.r3t.io route: - destination: host: airport.r3t.io port: number: 8080 --- apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: airport-http spec: hosts: - airport.r3t.io ports: - number: 8080 name: http-external protocol: HTTP location: MESH_EXTERNAL resolution: DNS endpoints: - address: airport.reboot3times.org ports: http-external: 8080 --- apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: airport-dr spec: host: airport.reboot3times.org trafficPolicy: portLevelSettings: - port: number: 8080 tls: mode: DISABLE
This is the error I get when I try to reach the external service:
curl -v https://airport.r3t.io * Rebuilt URL to: https://airport.r3t.io/ * Trying 184.108.40.206... * TCP_NODELAY set * Connected to airport.r3t.io (220.127.116.11) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to airport.r3t.io:443 * stopped the pause stream! * Closing connection 0 curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to airport.r3t.io:443
I was able to successfully deploy the Ingress Gateway with SDS (File Mount) httpbin example, you can see the teapot here. I’m not quite sure what I’m doing wrong, I would like to terminate TLS at the gateway and then hand the unencrypted traffic off to the internal service (outside the cluster).