Hello Everyone,
I have a setup where I am not using Istio’s gateway object as entrypoint to the GKE cluster. I am using nginx-ingress instead with a envoy container as sidecar.
I am able to get the http requests in the nginx-pod and able to route them to other microservices. For https calls I am not able to get in.
IP of the service for nginx pod is an external one and I am accessing that IP to talk directly to istio-enabled-nginx-ingress.
Do I need to deploy a set of virtual-service or destination rule to fix this ?
or Do I have to make use of IStio’s security features ? How to do any of these ?
Here is my config:
meshpolicy:
apiVersion: authentication.istio.io/v1alpha1
kind: MeshPolicy
metadata:
labels:
app: istio-security
chart: security-1.0.6
heritage: Tiller
release: istio
name: default
spec:
peers:
- mtls:
mode: PERMISSIVE
peers:
- mtls:
mode: PERMISSIVE
I have added one namespace-wide “policy” too:
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: ingresss-permissive namespace: r19-1-ingress-qa spec: peers: - mtls: mode: PERMISSIVE targets: - name: ingress
What else do I need to add to make sure pod in namespace “r19-1-ingress-qa” is able to receive https requests and do the TLS termination as per certificates mentined in nginx.conf ?
Do I need to add the nginx certificates somewhere else to make it work ?