I created a node js TLS server, dockerized it, and created a K8S Deployment and ClusterIP service for it. I created a DNS for the LoadBalancer service external IP of istio-ingressgateway and I’m using this DNS to try access this TLS server using istio but for some reason this error appears
[2022-02-10T04:28:38.302Z] "- - -" 0 NR filter_chain_not_found - "-" 0 0 3087 - "-" "-" "-" "-" "-" "-" - - 10.120.22.33:7070 10.101.31.172:44748 - -
The node server.js file:
const tls = require("tls");
const fs = require("fs");
const options = {
key: fs.readFileSync("server-key.pem"),
cert: fs.readFileSync("server-cert.pem"),
rejectUnauthorized: false,
};
process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0;
const server = tls.createServer(options, (socket) => {
console.log(
"server connected",
socket.authorized ? "authorized" : "unauthorized"
);
socket.write("welcome!\n");
socket.setEncoding("utf8");
socket.pipe(socket);
});
server.listen(7070, () => {
console.log("server bound");
});
The client.js file I use to connect to the server:
const tls = require("tls");
const fs = require("fs");
const options = {
ca: [fs.readFileSync("server-cert.pem", { encoding: "utf-8" })],
};
var socket = tls.connect(
7070,
"HOSTNAME",
options,
() => {
console.log(
"client connected",
socket.authorized ? "authorized" : "unauthorized"
);
process.stdin.pipe(socket);
process.stdin.resume();
}
);
socket.setEncoding("utf8");
socket.on("data", (data) => {
console.log(data);
});
socket.on("end", () => {
console.log("Ended");
});
The cluster service.yaml
apiVersion: v1
kind: Service
metadata:
name: nodejs-service
namespace: nodejs-tcp
spec:
ports:
- name: web
port: 7070
protocol: TCP
targetPort: 7070
selector:
app: nodejs
sessionAffinity: None
type: ClusterIP
The istio-gateway.yaml
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: nodejs-gw
namespace: nodejs-tcp
spec:
selector:
istio: istio-ingressgateway
servers:
- hosts:
- 'HOSTNAME'
port:
name: tls
number: 7070
protocol: TLS
tls:
credentialName: tls-secret
mode: PASSTHROUGH
In credentialName, I created a generic secret that holds the values of the private key and the certificate of the server
The istio-virtual-service.yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: nodejs-vs
namespace: nodejs-tcp
spec:
gateways:
- nodejs-gw
hosts:
- 'HOSTNAME'
tls:
- match:
- port: 7070
sniHosts:
- HOSTNAME
route:
- destination:
host: nodejs-service
port:
number: 7070
The Istio version I’m using:
client version: 1.12.2
control plane version: 1.12.2
data plane version: 1.12.2 (159 proxies)
Your help is so much appreciated. Thanks in advance.