Hi I’m relatively new to Istio, and I’m facing an issue with some Digicert Root certificates, that are currently missing in Docker images.
To prevent changing all images and build new ones, I was trying to overcome this with Istio.
The solution I was trying is as follow:
1- Added service entry with destination host.
2- Created Virtual Service that gets request in port 80 and forwards to port 443:
Example:
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: foo-vs
spec:
hosts:
- “foo_com”
gateways:
- mesh
http:
- match:
- port: 80
route:
- destination:
host: “foo_com”
port:
number: 443
timeout: 40s
Also have a Destination Rule as follow:
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: foo-dr
spec:
host: “foo.com”
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 443
tls:
mode: SIMPLE
Conclusions after looking at the logs the redirect is working but I’m getting the error the request:
: upstream connect error or disconnect/reset before headers. reset reason: connection termination
Edit: After fiddling with Destination rule im getting the following error both with port 80 and 443:
port 443 : curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
port 80 : TLS error: 268436576:SSL routines:OPENSSL_internal on istio-proxy log
Can this be solved somehow with Istio? or any other idea on how to solve other than installing root cert in all images.
Thanks
