TLS termination at edge Envoy (with nginx pod)


#1

Hello Everyone,

I have a setup where I am not using Istio’s gateway object as entrypoint to the GKE cluster. I am using nginx-ingress instead with a envoy container as sidecar.

I am able to get the http requests in the nginx-pod and able to route them to other microservices. For https calls I am not able to get in.
IP of the service for nginx pod is an external one and I am accessing that IP to talk directly to istio-enabled-nginx-ingress.

Do I need to deploy a set of virtual-service or destination rule to fix this ?

or Do I have to make use of IStio’s security features ? How to do any of these ?

Here is my config:

meshpolicy:

apiVersion: authentication.istio.io/v1alpha1
kind: MeshPolicy
metadata:
labels:
app: istio-security
chart: security-1.0.6
heritage: Tiller
release: istio
name: default
spec:
peers:

  • mtls:
    mode: PERMISSIVE
    peers:
    • mtls:
      mode: PERMISSIVE

I have added one namespace-wide “policy” too:

apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: ingresss-permissive
  namespace: r19-1-ingress-qa
spec:
  peers:
  - mtls:
      mode: PERMISSIVE
  targets:
  - name: ingress

What else do I need to add to make sure pod in namespace “r19-1-ingress-qa” is able to receive https requests and do the TLS termination as per certificates mentined in nginx.conf ?

Do I need to add the nginx certificates somewhere else to make it work ?