As I am new to istio, along with all my team members, we would really appreciate if we can get some help here.
Problem I have followed the below documentation to create certs and create secrets in k8s using the application cert and key https://istio.io/docs/tasks/traffic-management/secure-ingress/#troubleshooting
After that I restarted my istio-ingressgateway pod so that it loads the certs. Which aanyway I can see inside the pod when I exec.
And I have added below annotation in istio-ingressgateway service to use domain names: *external-dns.alpha.kubernetes.io/hostname: .byom-i344382.xxx.xxx.xxx.xxx.com
My virtualService and Gateway resources looks like this which are residing in 'default' namespace:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: ms-is-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
hosts:
- "ms-1234.byom-i344382.xxx.xxx.xxx.xxx.com"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ms-is
spec:
hosts:
- "ms-1234.byom-i344382.xxx.xxx.xxx.xxx.com"
gateways:
- ms-is-gateway
http:
- match:
- uri:
exact: /api/v2/predict
route:
- destination:
host: mlf-is
port:
number: 53547
Note that mlf-is service is in default namespace too. Only the istio-ingressgateway is in the istio-system namespace
Expected behavior When I hit https://ms-1234.byom-i344382.xxx.xxx.xxx.xxx.com/api/v2/predict from POSTMAN I should be able to reach ms-is service. However, I am not able to reach the service.
even the below curl command is failing: curl -v --cacert /home/vagrant/exmaple/mtls-go-example/2_intermediate/certs/ca-chain.cert.pem https://ms-1234.byom-i344382.xxx.xxx.xxx.xxx.com:443/api/v2/predict
Error from curl: Trying 18.195.217.210... * TCP_NODELAY set * Connected to ms-1234.byom-i344382.xxx.xxx.xxx.xxx.com (18.195.217.210) port 443 (#0) * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /home/vagrant/exmaple/mtls-go-example/2_intermediate/certs/ca-chain.cert.pem CApath: none * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to ms-1234.byom-i344382.xxx.xxx.xxx.xxx.com:443 * Closing connection 0 curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to ms-1234.byom-i344382.xxx.xxx.xxx.xxx.com:443
Version Version of istio: 1.0.1 and Kubernetes: 1.0.9
Is Istio Auth enabled or not? Installed istio.yaml
Environment Cloud vendor is AWS