Upstream connect error or disconnect/reset before headers. reset reason: connection terminatio

1

Hello

I’m trying to access two soap webservices outside of kubernetes.

istio v1.2.2
service1: dev-soap.domain.local
service2: dev-soap2.domain.local

On the egress gateway I’ve mounted my ca certificate. I can access service1 but not service2. I’m using the same config for both services (only the url is different).

On service2 I get:
upstream connect error or disconnect/reset before headers. reset reason: connection termination

I’ve no idea whats the problem, anyone who can help?

istio config service1:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: soap-ext
  namespace: mynamespace
spec:
  hosts:
  - dev-soap.domain.local
  ports:
  - number: 80
    name: http
    protocol: HTTP
  - number: 443
    name: https
    protocol: HTTPS
  resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: istio-egressgateway-soap-ext
  namespace: mynamespace
spec:
  selector:
    istio: egressgateway
  servers:
  - port:
      number: 80
      name: https
      protocol: HTTPS
    hosts:
    - dev-soap.domain.local
    tls:
      mode: MUTUAL
      serverCertificate: /etc/certs/cert-chain.pem
      privateKey: /etc/certs/key.pem
      caCertificates: /etc/certs/root-cert.pem
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: egressgateway-for-soap-ext
  namespace: mynamespace
spec:
  host: istio-egressgateway.istio-system.svc.cluster.local
  subsets:
  - name: soap-ext
    trafficPolicy:
      loadBalancer:
        simple: ROUND_ROBIN
      portLevelSettings:
      - port:
          number: 80
        tls:
          mode: ISTIO_MUTUAL
          sni: dev-soap.domain.local
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: direct-soap-through-egress-gateway
  namespace: mynamespace
spec:
  hosts:
  - dev-soap.domain.local
  gateways:
  - istio-egressgateway-soap-ext
  - mesh
  http:
  - match:
    - gateways:
      - mesh
      port: 80
    route:
    - destination:
        host: istio-egressgateway.istio-system.svc.cluster.local
        subset: soap-ext
        port:
          number: 80
      weight: 100
  - match:
    - gateways:
      - istio-egressgateway-soap-ext
      port: 80
    route:
    - destination:
        host: dev-soap.domain.local
        port:
          number: 443
      weight: 100
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: originate-tls-for-soap
  namespace: mynamespace
spec:
  host: dev-soap.domain.local
  trafficPolicy:
    loadBalancer:
      simple: ROUND_ROBIN
    portLevelSettings:
    - port:
        number: 443
      tls:
        mode: SIMPLE 
        caCertificates: /etc/certs/my-root-cert.pem

istio config service2:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: soap-ext2
  namespace: mynamespace
spec:
  hosts:
  - dev-soap2.domain.local
  ports:
  - number: 80
    name: http
    protocol: HTTP
  - number: 443
    name: https
    protocol: HTTPS
  resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: istio-egressgateway-soap-ext2
  namespace: mynamespace
spec:
  selector:
    istio: egressgateway
  servers:
  - port:
      number: 80
      name: https
      protocol: HTTPS
    hosts:
    - dev-soap2.domain.local
    tls:
      mode: MUTUAL
      serverCertificate: /etc/certs/cert-chain.pem
      privateKey: /etc/certs/key.pem
      caCertificates: /etc/certs/root-cert.pem
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: egressgateway-for-soap-ext2
  namespace: mynamespace
spec:
  host: istio-egressgateway.istio-system.svc.cluster.local
  subsets:
  - name: soap-ext2
    trafficPolicy:
      loadBalancer:
        simple: ROUND_ROBIN
      portLevelSettings:
      - port:
          number: 80
        tls:
          mode: ISTIO_MUTUAL
          sni: dev-soap2.domain.local
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: direct-soap2-through-egress-gateway
  namespace: mynamespace
spec:
  hosts:
  - dev-soap2.domain.local
  gateways:
  - istio-egressgateway-soap-ext2
  - mesh
  http:
  - match:
    - gateways:
      - mesh
      port: 80
    route:
    - destination:
        host: istio-egressgateway.istio-system.svc.cluster.local
        subset: soap-ext2
        port:
          number: 80
      weight: 100
  - match:
    - gateways:
      - istio-egressgateway-soap-ext2
      port: 80
    route:
    - destination:
        host: dev-soap2.domain.local
        port:
          number: 443
      weight: 100
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: originate-tls-for-soap2
  namespace: mynamespace
spec:
  host: dev-soap2.domain.local
  trafficPolicy:
    loadBalancer:
      simple: ROUND_ROBIN
    portLevelSettings:
    - port:
        number: 443
      tls:
        mode: SIMPLE 
        caCertificates: /etc/certs/my-root-cert.pem
2

What does the cert look like?

3

I have come across issues in defining multiple gateways. I suggest you consolidate everything in to single gateway. I think this should work.

4

@Tao_Li

The certificate has:

CN = dev-soap.domain.local

and

SAN =
DNS Name=dev-soap.domain.local
DNS Name=dev-soap2.domain.local

@Ramaprasad_Gurajala
Its also not working when I define service2 only and delete the config for service1.