I’m trying to set up TLS origination for an Elasticsearch host. I’ve followed the guide to the point (as far as I can tell) but it doesn’t work.
If I understand correctly, when TLS origination is configured for TLS host (in this case responding on port 9243) I should be able to connect to it on port 80 from a pod in my cluster and Istio will change the connection to the secure port behind the scenes.
When I try to connect to my Elasticsearch host from a pod I get no response, the connection just hangs. I can connect to the host on the secure port just fine.
My configuration looks like this:
apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: external-elastic namespace: my-namespace spec: hosts: - my-elasticsearch-host ports: - number: 80 name: http-port protocol: HTTP - number: 9243 name: http-port-for-tls-origination protocol: HTTP resolution: DNS --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: external-elastic namespace: my-namespace spec: hosts: - my-elasticsearch-host http: - match: - port: 80 route: - destination: host: my-elasticsearch-host port: number: 9243 --- apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: external-elastic namespace: my-namespace spec: host: my-elasticsearch-host trafficPolicy: loadBalancer: simple: ROUND_ROBIN portLevelSettings: - port: number: 9243 tls: mode: SIMPLE # initiates TLS
What am I doing wrong here?