K
Q

How to add tls_renegotiation to via istio envoy-proxy filters

2/28/2020

Can someone help me to piece together https://istio.io/docs/reference/config/networking/envoy-filter/ and https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/auth/cert.proto to allow tls_renegotiation on a specific outgoing domain via egress mtls origination?

I have several 3rd party services for which istio mtls origination via egress gateway works flawlessly and am debugging one that doesnt. istio retries 3 times, throws 503UC.

2020-02-26 22:22:20.817][55][debug][connection] [external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:201] [C112] TLS error: 268435638:SSL routines:OPENSSL_internal:NO_RENEGOTIATION 268435650:SSL routines:OPENSSL_internal:PROTOCOL_IS_SHUTDOWN
[2020-02-26 22:22:20.817][55][debug][client] [external/envoy/source/common/http/codec_client.cc:82] [C112] disconnect. resetting 1 pending requests
[2020-02-26 22:22:20.817][55][debug][client] [external/envoy/source/common/http/codec_client.cc:105] [C112] request reset

My istio snippet so far:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: allow-tls-renegotiation
spec:
  workloadSelector:
    labels:
      istio: egressgateway
  configPatches:
    - applyTo: FILTER_CHAIN
      match:
        context: GATEWAY
        listener:
          filterChain:
            sni: <domain>
      patch:
        operation: MERGE
        value:
          transport_socket:
            name: tls
            typed_config:
              "@type": type.googleapis.com/envoy.api.v2.auth.UpstreamTlsContext
              allow_renegotiation: true
-- strzelecki.maciek
istio
kubernetes

Similar Questions

Cannot launch Vault from Helm on kubernetes
Keycloak and istio service mesh fails to work
Jenkins X: trying to execute 'jx boot' from a non requirements repo
How to pass command line argument to kubectl create command

0 Answers