Hi,
I would like to know if it is possible to have TLS terminated virtual services (not https) ?
From what I read in the documentation it is not possible.
From a Kubernetes cluster we would like to access an external service through an egress gateway.
The protocol is a tcp protocol. And we want the egress gateway to take care of the mTLS to the external service. The application does not support TLS. What I wanted to achieve is the following:
pod → tcp → istio proxy → istio mtls → egress gateway (tls) → mtls (custom certs) → external service
I managed to have the egess gateway receive tcp “requests” from the pod but since the virtual service targeting the egress gateway does tls sni matching it does not terminate the tls connection (my assumption).
Doing the equivalent with http/s works:
pod → http → istio proxy → istio mtls → egress gateway (https) → mtls (custom certs) → external service
The virtual service for the egress gateway has http match (not tls match).
I just wanted confirmation that having the egress gateway performing TLS termination (no passthrough) is not possible.
I guess I’ll have to do
pod → tcp → istio proxy (custom mTLS) → egress gateway (tls passthrough) → external service
Regards
Luc