I'm struggling getting my Egress Gateway, Destination Rules and Virtual Service configured correctly.
I'm trying to connect to an external service that's not part of my cluster. Let's call it example.net and it's listening on Port 8443. I've got to use mTLS to connect to this service.
I've followed the Istio Documentation on setting up an Egress Gateway with mTLS origination. I got the expected result.
I'll post my custom configuration files below:
istio-egressgateway.yaml
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: example-egress-gateway
namespace: istio-system
spec:
selector:
istio: egressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- example.net
tls:
mode: ISTIO_MUTUAL
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: egressgateway-for-example
namespace: istio-system
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 443
tls:
mode: ISTIO_MUTUAL
sni: example.net
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: originate-mtls-for-example
namespace: istio-system
spec:
host: example.net
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 443
tls:
mode: MUTUAL
credentialName: tls-secret
sni: example.net
istio-egress-virtualservice.yaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: direct-example-traffic-through-egress-gateway
namespace: istio-system
spec:
hosts:
- example.net
gateways:
- example-egress-gateway
- mesh
http:
- match:
- gateways:
- mesh
port: 80
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
port:
number: 443
weight: 100
- match:
- gateways:
- example-egress-gateway
port: 443
route:
- destination:
host: example.net
port:
number: 8443
weight: 100
Service Entry
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: external-svc-example
namespace: istio-system
spec:
hosts:
- example.net
location: MESH_EXTERNAL
ports:
- number: 443
name: tls
protocol: TLS
- number: 8443
name: tls-8443
protocol: TLS
resolution: NONE
When I execute a curl command on one of the pods in the service mesh:
curl -v --location 'https://example.net:8443/'
Output:
* Host example.net:8443 was resolved.
* IPv6: (none)
* IPv4: 10.241.0.50
* Trying 10.241.0.50:8443...
* Connected to example.net (10.241.0.50) port 8443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /cacert.pem
* CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
It seems that the pods aren't using the tls-secret that is specified when trying to connect to the external service.
I'm not getting anything in my egress-gateway pod logs so suspecting routing to the gateway is incorrect?