K
Q

openssl connection refused on one of the services/pods

3/18/2020

I have an application with more than 4 services. One of them requires secure connection, i.e with ssl. When I integrate istio in my deployment, I get the following error from that pod/service

➜  gluu git:(istio-integration) ✗ kubectl logs vs-oxauth-68584789d-dznxk -c vs-oxauth
INFO - pygluu.containerlib.wait - 2020-03-17 12:23:18,746 - Config is ready
INFO - pygluu.containerlib.wait - 2020-03-17 12:23:18,821 - Secret is ready
INFO - pygluu.containerlib.wait - 2020-03-17 12:23:19,731 - LDAP is ready
Traceback (most recent call last):
  File "/app/scripts/entrypoint.py", line 128, in <module>
    main()
  File "/app/scripts/entrypoint.py", line 90, in main
    get_server_certificate(manager.config.get("hostname"), 443, "/etc/certs/gluu_https.crt")
  File "/src/pygluu-containerlib/pygluu/containerlib/utils.py", line 149, in get_server_certificate
    sock = context.wrap_socket(conn, server_hostname=server_hostname)
  File "/usr/lib/python2.7/ssl.py", line 369, in wrap_socket
    _context=self)
  File "/usr/lib/python2.7/ssl.py", line 599, in __init__
    self.do_handshake()
  File "/usr/lib/python2.7/ssl.py", line 828, in do_handshake
    self._sslobj.do_handshake()
socket.error: [Errno 0] Error

This is what I have in gateway - part of it.

- port:
      number: 8080
      name: http-oxauth
      protocol: HTTP
    hosts:
      - "*"
    tls:
      mode: SIMPLE
      credentialName: tls-certificate

And the service object for that is

apiVersion: v1
kind: Service
metadata:
  name: oxauth
  namespace: default
spec:
  ports:
  - name: tcp-oxauth
    port: 8080
    protocol: TCP
    targetPort: 8080
  selector:
    app: oxauth
  sessionAffinity: None
  type: ClusterIP
status:
  loadBalancer: {}

And I have a virtualService for that.

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: {{ include "istio.fullname" . }}-oxauth
  namespace: {{ .Release.Namespace }}
spec:
  hosts:
  - "*"
  gateways:
  - {{ .Release.Name }}-global-gtw # can omit the namespace if gateway is in same namespace as virtual service.
  http:
    - route:
      - destination:
          host: oxauth.{{ .Release.Namespace }}.svc.cluster.local
          port:
            number: 8080

and a destinationRule

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: {{ include "istio.name" .}}-oxauth-destinationrule
spec:
  host: oxauth.{{ .Release.Namespace }}.svc.cluster.local
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
      credentialName: tls-certificate

What am I missing? I have enabled mTLS in istio.

-- Shammir
istio
kubernetes
ssl

Similar Questions

Minikube pod keep a forever pending status and failed to be scheduled
Adding Kubernetes Metadata To Custom FluentD Non DaemonSet @tail Event
getting response 302 for kubernetes service
Openstack magnum cant reach clustertemplates?

0 Answers