Hello,
I’m trying to set up TLS origination for an Elasticsearch host. I’ve followed the guide to the point (as far as I can tell) but it doesn’t work.
If I understand correctly, when TLS origination is configured for TLS host (in this case responding on port 9243) I should be able to connect to it on port 80 from a pod in my cluster and Istio will change the connection to the secure port behind the scenes.
When I try to connect to my Elasticsearch host from a pod I get no response, the connection just hangs. I can connect to the host on the secure port just fine.
My configuration looks like this:
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: external-elastic
namespace: my-namespace
spec:
hosts:
- my-elasticsearch-host
ports:
- number: 80
name: http-port
protocol: HTTP
- number: 9243
name: http-port-for-tls-origination
protocol: HTTP
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: external-elastic
namespace: my-namespace
spec:
hosts:
- my-elasticsearch-host
http:
- match:
- port: 80
route:
- destination:
host: my-elasticsearch-host
port:
number: 9243
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: external-elastic
namespace: my-namespace
spec:
host: my-elasticsearch-host
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 9243
tls:
mode: SIMPLE # initiates TLS
What am I doing wrong here?