Thank you, all. I ended up updating the log format, per @kuat’s suggestion . I added the following:
localSubject=%DOWNSTREAM_LOCAL_SUBJECT% peerSubject=%DOWNSTREAM_PEER_SUBJECT% peerIssuer=%DOWNSTREAM_PEER_ISSUER%i localUriSan=%DOWNSTREAM_LOCAL_URI_SAN% peerUriSan=%DOWNSTREAM_PEER_URI_SAN%
This is what the receiving istio-proxy’s log looks like. I don’t know why the subjects are missing, but I do see other fields.
[03/03/2020T18:28:16+0000 1583260096] method=GET authority=hiworld.hw:5000 txId=- request=/hello alpn=HTTP/1.1 response_flag=- ssl_protocol=TLSv1.2 ssl_cipher=ECDHE-RSA-AES128-GCM-SHA256 status=200 status_details=via_upstream request_size=0 response_size=58 envoy_request_id=3e84e6d9-fb92-495a-b0ef-99c33caec71d user-agent=curl/7.38.0 xFor=192.168.125.199 x-envoy-upstream-service-time=176 total_time_ms=176 upstream=127.0.0.1:5000 localSubject=- peerSubject=- peerIssuer=emailAddress=<masked>,CN=<masked> localUriSan=spiffe://cluster.local/ns/hw/sa/default peerUriSan=spiffe://cluster.local/ns/hw/sa/default
This is what the sending istio-proxy’s log looks like. None of the SSL/TLS fields are populated. Is that to be expected for the sending proxy?
[03/03/2020T18:31:26+0000 1583260286] method=GET authority=hiworld.hw:5000 txId=- request=/hello alpn=HTTP/1.1 response_flag=- ssl_protocol=- ssl_cipher=- status=200 status_details=via_upstream request_size=0 response_size=58 envoy_request_id=67f40161-514e-482c-a055-7a27247cd197 user-agent=curl/7.38.0 xFor=192.168.125.199 x-envoy-upstream-service-time=181 total_time_ms=183 upstream=192.168.223.72:5000 localSubject=- peerSubject=- peerIssuer=-i localUriSan=- peerUriSan=-
Thanks again,
jaid