I have mtls enabled on my cluster but am unable to create a gateway which does TLS termination to services that do not have mtls. As an example the I have kiali installed in the istio-system ns and have disabled the self signed cert it typically uses to serve traffic without ssl. Below are my objects. The behavior I observe is that the connection hangs :
curl https://kiali-istio.domain/kiali -vv
* Trying 10.1.51.209...
* TCP_NODELAY set
* Connected to kiali-istio.domain (10.1.51.209) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
# kiali
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
name: "kiali-disable-mtls"
namespace: "istio-system"
spec:
targets:
- name: kiali
ports:
- number: 20001
---
apiVersion: "networking.istio.io/v1alpha3"
kind: "DestinationRule"
metadata:
name: "kiali"
namespace: "istio-system"
spec:
host: kiali.istio-system.svc.cluster.local
trafficPolicy:
tls:
mode: DISABLE
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-kiali-gateway
namespace: "istio-system"
annotations:
kubernetes.io/ingress.class: internal
spec:
selector:
istio: ilbgateway # use Istio default gateway implementation
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "kiali-istio.domain"
tls:
mode: SIMPLE
privateKey: /etc/istio/ingressgateway-certs/tls.key
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: istio-kiali
namespace: "istio-system"
spec:
hosts:
- "kiali-istio.domain"
gateways:
- istio-kiali-gateway
http:
- route:
- destination:
port:
number: 20001
host: kiali.istio-system.svc.cluster.local
Any ideas would be appreciated. Thanks.