TLS termination at ingress for non mTLS service?

I have mtls enabled on my cluster but am unable to create a gateway which does TLS termination to services that do not have mtls. As an example the I have kiali installed in the istio-system ns and have disabled the self signed cert it typically uses to serve traffic without ssl. Below are my objects. The behavior I observe is that the connection hangs :

curl https://kiali-istio.domain/kiali -vv
*   Trying 10.1.51.209...
* TCP_NODELAY set
* Connected to kiali-istio.domain (10.1.51.209) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):

# kiali
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "kiali-disable-mtls"
  namespace: "istio-system"
spec:
  targets:
  - name: kiali
    ports:
    - number: 20001

---
apiVersion: "networking.istio.io/v1alpha3"
kind: "DestinationRule"
metadata:
  name: "kiali"
  namespace: "istio-system"
spec:
  host: kiali.istio-system.svc.cluster.local
  trafficPolicy:
    tls:
      mode: DISABLE

--- 
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: istio-kiali-gateway
  namespace: "istio-system"
  annotations:
    kubernetes.io/ingress.class: internal
spec:
  selector:
    istio: ilbgateway # use Istio default gateway implementation
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    hosts:
    - "kiali-istio.domain"
    tls:
      mode: SIMPLE
      privateKey: /etc/istio/ingressgateway-certs/tls.key
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt

---

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: istio-kiali
  namespace: "istio-system"
spec:
  hosts:
  - "kiali-istio.domain"
  gateways:
  - istio-kiali-gateway
  http:
  - route:
    - destination:
        port:
          number: 20001
        host: kiali.istio-system.svc.cluster.local

Any ideas would be appreciated. Thanks.

Could use some feedback on this if anyone has any ideas.

@rdyer Did you get anywhere with this? I’ve been wondering if the same thing is possible.

@dagon yes I finally got this working. See Issue with using an internal ingress for example of what I got working. Note I also created a policy for non-grafana dashboards (istio creates a default grafana policy, thus why its not in that ticket)

apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "kiali-disable-mtls"
  namespace: "istio-system"
spec:
  targets:
  - name: kiali
    ports:
    - number: 20001

Ok, i took a look and I was able to get it working by doing something similar, thanks for replying.