I did some searching but I must have missed something. I’ve got my HTTPS TLS termination working using the istio-ingressgateway along with my Gateway, VirtualService objects for https traffic.
What about non-http application layer protocols? SMTP, IMAP, SNMP, binary protocols - these can be transported over TLS secured sockets as we all know. But the Pilot controller complains if I use Gateway…port.protocol: TCP with port.name: tcp-imap AND tls.mode: SIMPLE (with same tls properties as my working https ports. Once I got rid of the tls: block for these non-http protocols, no complaints but that also means no TLS termination.
Is Istio TLS termination not meant for non-http protocols? The text “TLS implies the connection will be routed based on the SNI header to the destination without terminating the TLS connection.” in the https://istio.io/docs/reference/config/networking/gateway/#Port section makes me suspect so ( or that only the Mongo protocol over TLS can be terminated ? I know nothing about the Mongo protocol perhaps it’s http-like? and that’s why it’s in the Gateway…port.protocol description text?)
Would be nice to have the ingress controller handle all such configured traffic. I’m hoping I missed some documentation that spells it out either way.
Error: admission webhook "[pilot.validation.istio.io](http://pilot.validation.istio.io/)" denied the request: configuration is invalid: 2 errors occurred: * server cannot have TLS settings for non HTTPS/TLS ports * server cannot have TLS settings for non HTTPS/TLS ports