TLS origination not working

Hello,

I’m trying to set up TLS origination for an Elasticsearch host. I’ve followed the guide to the point (as far as I can tell) but it doesn’t work.

If I understand correctly, when TLS origination is configured for TLS host (in this case responding on port 9243) I should be able to connect to it on port 80 from a pod in my cluster and Istio will change the connection to the secure port behind the scenes.

When I try to connect to my Elasticsearch host from a pod I get no response, the connection just hangs. I can connect to the host on the secure port just fine.

My configuration looks like this:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: external-elastic
  namespace: my-namespace
spec:
  hosts:
  - my-elasticsearch-host
  ports:
  - number: 80
    name: http-port
    protocol: HTTP
  - number: 9243
    name: http-port-for-tls-origination
    protocol: HTTP
  resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: external-elastic
  namespace: my-namespace
spec:
  hosts:
  - my-elasticsearch-host
  http:
  - match:
    - port: 80
    route:
    - destination:
        host: my-elasticsearch-host
        port:
          number: 9243
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: external-elastic
  namespace: my-namespace
spec:
  host: my-elasticsearch-host
  trafficPolicy:
    loadBalancer:
      simple: ROUND_ROBIN
    portLevelSettings:
    - port:
        number: 9243
      tls:
        mode: SIMPLE # initiates TLS

What am I doing wrong here?

Turns out I had traffic.sidecar.istio.io/excludeOutboundIPRanges enabled for the deployment. Removing it fixed the problem.

1 Like