TLS handshake with custom CA using wildcard egress

nadworny · October 7, 2020, 4:49pm

I’m trying to setup istio (v1.7.3) on AKS (v1.16.13) in a way that for all HTTPS requests within my domain, the TLS handshake is performed transparently by egress gateway.

I ended up with something like this (abc.mydomain.com is an external URL so that’s why I created a ServiceEntry for it):

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: istio-egressgateway
spec:
  selector:
    istio: egressgateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    hosts:
    - "*.mydomain.com"
    tls:
      mode: PASSTHROUGH
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: egressgateway-for-mydomain
spec:
  host: istio-egressgateway.istio-system.svc.cluster.local
  subsets:
    - name: mydomain
  trafficPolicy:
    tls:
      mode: SIMPLE
      caCertificates: /etc/istio/mydomain-ca-certs/mydomain.crt
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: direct-mydomain-through-egress-gateway
spec:
  hosts:
  - "*.mydomain.com"
  gateways:
  - mesh
  - istio-egressgateway
  tls:
  - match:
    - gateways:
      - mesh
      port: 443
      sniHosts:
      - "*.mydomain.com"
    route:
    - destination:
        host: istio-egressgateway.istio-system.svc.cluster.local
        subset: mydomain
        port:
          number: 443
      weight: 100
  - match:
    - gateways:
      - istio-egressgateway
      port: 443
      sniHosts:
      - "*.mydomain.com"
    route:
    - destination:
        host: abc.mydomain.com
        port:
          number: 443
      weight: 100
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: www-mydomain
spec:
  hosts:
  - abc.mydomain.com
  ports:
  - number: 443
    name: https
    protocol: HTTPS
  resolution: DNS

I have mounted my certificate in the egress gateway and verified with: kubectl exec -n istio-system “$(kubectl -n istio-system get pods -l istio=egressgateway -o jsonpath=’{.items[0].metadata.name}’)” – ls -al /etc/istio/mydomain-ca-certs

I’m getting the following when invoking curl https://abc.mydomain.com from one of the pods running in another namespace:
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to abc.mydomain.com:443

I’ve also tried what’s described here (Trust custom Root CA on Egress Gateway) but I’m getting the error as above.

Any idea what I might be doing wrong?

YangminZhu · October 8, 2020, 7:17pm

You’re setting the caCertificates in the destination rule for egress gateway, that seems a bit strange, I’m not sure if this is the correct way. @JimmyChen for custom cert on egress gateway.

nadworny · October 13, 2020, 3:59pm

I’ve posted the same question on stackoverflow to reach out to a broader community: https://stackoverflow.com/questions/64338861/tls-handshake-with-custom-ca-using-wildcard-egress

Topic		Replies	Views
Istio Wildcard Egress Routing Networking	2	561	June 28, 2021
Mutual TLS origination by Egress Gateway Security	2	765	April 12, 2019
Cannot reach external service with TLS (using or not an egress gateway) Config	3	2411	August 20, 2019
Egress TLS with TCP Networking	9	4305	June 7, 2023
Trust custom Root CA on Egress Gateway Security	18	4959	July 24, 2019

TLS handshake with custom CA using wildcard egress

Related topics