As shown here
I have this DestinationRule
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: originate-mtls-for-vault
namespace: vault
spec:
host: vault-ui.vault.svc.cluster.local
workloadSelector:
matchLabels:
app.kubernetes.io/instance: vault
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 8200
tls:
mode: MUTUAL
credentialName: tls-vault-server
sni: vault-ui.vault.svc.cluster.local
Note that I have to define host as well here which is not what docs says but I think there is a validation added later as it returns the following failure otherwise
configuration is invalid: empty domain name not allowed
This DestinationRule doesn’t seem to be working for the following VirtualService
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: vault
namespace: vault
spec:
hosts:
- 'vault.stage.upswing'
gateways:
- istio-system/stage-default
http:
- match:
- uri:
prefix: /
route:
- destination:
port:
number: 8200
host: vault-ui.vault.svc.cluster.local
If I remove workloadSelector, it gets applied just based on the host. Though the problem is that it returns OPENSSL_internal:CERTIFICATE_VERIFY_FAILED error which I guess is because
credentialName as it says in the doc only works with workloadSelector
document snippet:
NOTE: This field is applicable at sidecars only if
DestinationRulehas aworkloadSelectorspecified. Otherwise the field will be applicable only at gateways, and sidecars will continue to use the certificate paths.
k8s version - 1.22
istio version - 1.14.1
Thus the requirement being for me to originate TLS from the proxy to the destination service which I am not able to achieve. I have verified the secret and certificate/keys in it with curl multiple times and that part is sorted.