NR filter_chain_not_found when connecting to Nodejs TLS server using istio

2/10/2022

I created a node js TLS server, dockerized it, and created a K8S Deployment and ClusterIP service for it. I created a DNS for the LoadBalancer service external IP of istio-ingressgateway and I’m using this DNS to try access this TLS server using istio but for some reason this error appears

[2022-02-10T04:28:38.302Z] "- - -" 0 NR filter_chain_not_found - "-" 0 0 3087 - "-" "-" "-" "-" "-" "-" - - 10.120.22.33:7070 10.101.31.172:44748 - -

The node server.js file:

const tls = require("tls");
const fs = require("fs");

const options = {
  key: fs.readFileSync("server-key.pem"),
  cert: fs.readFileSync("server-cert.pem"),

  rejectUnauthorized: false,
};
process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0;
const server = tls.createServer(options, (socket) => {
  console.log(
    "server connected",
    socket.authorized ? "authorized" : "unauthorized"
  );
  socket.write("welcome!\n");
  socket.setEncoding("utf8");
  socket.pipe(socket);
});
server.listen(7070, () => {
  console.log("server bound");
});

The client.js file I use to connect to the server:

const tls = require("tls");
const fs = require("fs");

const options = {
  ca: [fs.readFileSync("server-cert.pem", { encoding: "utf-8" })],
};
var socket = tls.connect(
  7070,
  "HOSTNAME",
  options,
  () => {
    console.log(
      "client connected",
      socket.authorized ? "authorized" : "unauthorized"
    );
    process.stdin.pipe(socket);
    process.stdin.resume();
  }
);
socket.setEncoding("utf8");
socket.on("data", (data) => {
  console.log(data);
});

socket.on("end", () => {
  console.log("Ended");
});

The cluster service.yaml

apiVersion: v1
kind: Service
metadata:
  name: nodejs-service
  namespace: nodejs-tcp
spec:
  ports:
  - name: web
    port: 7070
    protocol: TCP
    targetPort: 7070
  selector:
    app: nodejs
  sessionAffinity: None
  type: ClusterIP

The istio-gateway.yaml

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: nodejs-gw
  namespace: nodejs-tcp
spec:
  selector:
    istio: istio-ingressgateway
  servers:
  - hosts:
    - 'HOSTNAME'
    port:
      name: tls
      number: 7070
      protocol: TLS
    tls:
      credentialName: tls-secret
      mode: PASSTHROUGH

In credentialName, I created a generic secret that holds the values of the private key and the certificate of the server

The istio-virtual-service.yaml

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: nodejs-vs
  namespace: nodejs-tcp
spec:
  gateways:
  - nodejs-gw
  hosts:
  - 'HOSTNAME'
  tls:
  - match:
    - port: 7070
      sniHosts:
      - HOSTNAME
    route:
    - destination:
        host: nodejs-service
        port:
          number: 7070

The Istio version I’m using:

client version: 1.12.2
control plane version: 1.12.2
data plane version: 1.12.2 (159 proxies)

Your help is so much appreciated. Thanks in advance.

-- Kareem Yasser
istio
istio-gateway
istio-sidecar
kubernetes
kubernetes-ingress

0 Answers