K
Q

NR filter_chain_not_found when connecting to Nodejs TLS server using istio

2/10/2022

I created a node js TLS server, dockerized it, and created a K8S Deployment and ClusterIP service for it. I created a DNS for the LoadBalancer service external IP of istio-ingressgateway and I’m using this DNS to try access this TLS server using istio but for some reason this error appears

[2022-02-10T04:28:38.302Z] "- - -" 0 NR filter_chain_not_found - "-" 0 0 3087 - "-" "-" "-" "-" "-" "-" - - 10.120.22.33:7070 10.101.31.172:44748 - -

The node server.js file:

const tls = require("tls");
const fs = require("fs");

const options = {
  key: fs.readFileSync("server-key.pem"),
  cert: fs.readFileSync("server-cert.pem"),

  rejectUnauthorized: false,
};
process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0;
const server = tls.createServer(options, (socket) => {
  console.log(
    "server connected",
    socket.authorized ? "authorized" : "unauthorized"
  );
  socket.write("welcome!\n");
  socket.setEncoding("utf8");
  socket.pipe(socket);
});
server.listen(7070, () => {
  console.log("server bound");
});

The client.js file I use to connect to the server:

const tls = require("tls");
const fs = require("fs");

const options = {
  ca: [fs.readFileSync("server-cert.pem", { encoding: "utf-8" })],
};
var socket = tls.connect(
  7070,
  "HOSTNAME",
  options,
  () => {
    console.log(
      "client connected",
      socket.authorized ? "authorized" : "unauthorized"
    );
    process.stdin.pipe(socket);
    process.stdin.resume();
  }
);
socket.setEncoding("utf8");
socket.on("data", (data) => {
  console.log(data);
});

socket.on("end", () => {
  console.log("Ended");
});

The cluster service.yaml

apiVersion: v1
kind: Service
metadata:
  name: nodejs-service
  namespace: nodejs-tcp
spec:
  ports:
  - name: web
    port: 7070
    protocol: TCP
    targetPort: 7070
  selector:
    app: nodejs
  sessionAffinity: None
  type: ClusterIP

The istio-gateway.yaml

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: nodejs-gw
  namespace: nodejs-tcp
spec:
  selector:
    istio: istio-ingressgateway
  servers:
  - hosts:
    - 'HOSTNAME'
    port:
      name: tls
      number: 7070
      protocol: TLS
    tls:
      credentialName: tls-secret
      mode: PASSTHROUGH

In credentialName, I created a generic secret that holds the values of the private key and the certificate of the server

The istio-virtual-service.yaml

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: nodejs-vs
  namespace: nodejs-tcp
spec:
  gateways:
  - nodejs-gw
  hosts:
  - 'HOSTNAME'
  tls:
  - match:
    - port: 7070
      sniHosts:
      - HOSTNAME
    route:
    - destination:
        host: nodejs-service
        port:
          number: 7070

The Istio version I’m using:

client version: 1.12.2
control plane version: 1.12.2
data plane version: 1.12.2 (159 proxies)

Your help is so much appreciated. Thanks in advance.

-- Kareem Yasser
istio
istio-gateway
istio-sidecar
kubernetes
kubernetes-ingress

Similar Questions

While setting kubernetes cluster, kubeadm initialization command is giving error
Nested subchart of Helm
Creating Google persistent disks from snapshots in Kubernetes
setting up monitoring within the namespace of Kubernetes
Traefik instance loadbalance to Kubernetes NodePort services

0 Answers