We are using Istio for several services advertised via a Gateway using TLS simple mode to route traffic to several services from the same Gateway IP.
We wish to also employ TLS passthrough in order to reverse-proxy external services alongside our internal kubernetes Pod-hosted services. We would consider using TLS origination if passthrough was not an option alongside our existing HTTPS simple mode services.
So far I have been referring to this PR for details of how to perform this configuration: https://github.com/istio/istio.io/pull/3180/files
I’m aware that there are some issues in our config, as although I can get the httpbin example to work for plain HTTP redirection, when moving to HTTPS I cannot get a connection; TLS negotiation fails like this:
* ALPN, offering http/1.1
* gnutls_handshake() failed: The TLS connection was non-properly terminated.
* Closing connection 0
curl: (35) gnutls_handshake() failed: The TLS connection was non-properly terminated.
I will follow up and attach our config. Shortly. Using Istio 1.0.2 I believe.
$ curl --resolve host-to-proxy.com:443:10.0.0.111 https://host-to-proxy.com:443 -vvv -k
* Added host-to-proxy.com.com:443:10..0.0.111 to DNS cache
* Hostname host-to-proxy.com.com was found in DNS cache
* Trying 10.0.0.111...
* Connected to host-to-proxy.com (10.0.0.111) port 443 (#0)
* found 398 certificates in /etc/ssl/certs/ca-certificates.crt
* found 1454 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* gnutls_handshake() failed: The TLS connection was non-properly terminated.
* Closing connection 0
curl: (35) gnutls_handshake() failed: The TLS connection was non-properly terminated.
Here’s the relevant config:
[EDIT - renamed ports from “https” and “https-ext” to “tls” and “tls-ext” to reflect requested change on live system.]
We never got this working and abandoned our attempts to use istio as a reverse proxy for external services. Any additional information would be great! Documentation is lacking and I don’t know enough about the internals of envoy to piece it together.