I have Istio mTLS STRICT mode enabled, after switching from PERMISSIVE mode, it seems wasm plugin (in istio ingress gateway) is not able to communicate with the target service anymore:
2023-10-13T20:49:08.653912Z error envoy wasm external/envoy/source/extensions/common/wasm/context.cc:1154 wasm log istio-system.<wasm-plugin>: Context ID: 4. Unknown issue occurred. Response status code: 503, body: "upstream connect error or disconnect/reset before headers. reset reason: connection termination" thread=50
logs from target service Istio-proxy container:
2023-10-13T20:57:31.907732Z debug envoy main external/envoy/source/server/server.cc:263 flushing stats thread=21
[2023-10-13T20:57:31.650Z] "- - -" 0 NR filter_chain_not_found - "-" 0 0 0 - "-" "-" "-" "-" "-" - - 10.42.0.147:5555 10.42.0.154:36420 - -
10.42.0.147:5555 this is the target service
10.42.0.154 this is the istio ingress gateway address
and this is the envoy filter:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: ingressgateway-upstream-account-service
namespace: "istio-system"
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: CLUSTER
match:
context: GATEWAY
patch:
operation: ADD
value: # Cluster specification
name: target_service
type: LOGICAL_DNS
connect_timeout: 5s
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: target_service
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: "target-service.default.svc.cluster.local"
protocol: TCP
port_value: 5555
what I am doing wrong here?