Search code examples
kubernetes-ingressistio

Enabling HTTPS port in k8s

I am trying to add port 5665 into istio-ingressgatway and its been added but the traffic is not (I think) routed correctly since i am keep getting SSL error

curl -k https://api.loadbalancer.local.com:5665/v1/bla ; echo
curl: (35) error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number

where I am able to telnet the port on ingressgateway LB

❯ telnet api.loadbalancer.local.com 5665
Trying 10.239.49.9...
Connected to api.loadbalancer.local.com.
Escape character is '^]'.

and the service is responding fine if I call directly the POD IP as example

  IP:           10.23.49.90
Controlled By:  ReplicaSet/icinga2-84bd777b9
Containers:
  icinga2:
    Image:          jordan/icinga2:latest
    Ports:          80/TCP, 443/TCP, 5665/TCP
    Host Ports:     0/TCP, 0/TCP, 0/TCP
    State:          Running
      
    Ready:          True
    Restart Count:  0
    Liveness:       http-get http://:http/ delay=0s timeout=1s period=10s #success=1 #failure=3

❯ curl -k https://10.23.49.90:5665/
<h1>Unauthorized. Please check your user credentials.</h1>%
❯ curl -k https://10.23.49.90:5665/v1/bla
<h1>Unauthorized. Please check your user credentials.</h1>%
❯ curl -k http://10.23.49.90:5665/
curl: (52) Empty reply from server

Routing config

  • istio-ingress-gateway for opening the port
 - name: api
    nodePort: 30431
    port: 5665
    protocol: TCP
    targetPort: 5665
  • Gateway configuration
apiVersion: v1
items:
- apiVersion: networking.istio.io/v1beta1
  kind: Gateway
  spec:
    selector:
      istio: ingressgateway
    servers:
    - hosts:
      - '*'
      port:
        name: api
        number: 5665
        protocol: HTTPS
      tls:
        mode: SIMPLE

VirtualService

apiVersion: v1
items:
- apiVersion: networking.istio.io/v1beta1
  kind: VirtualService
  spec:
    gateways:
    - icinga2
    hosts:
    - '*'
    http:
    - match:
      - port: 5665
      route:
      - destination:
          host: icinga2.default.svc.cluster.local
          port:
            number: 5665

Question What I am doing wrong to make this port working same as when I am calling the POD IP directly ?

and I presume that the reason that I am getting curl: (35) error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number is due to some misconfiguration.

Also I even don't know where to look to troubleshoot the issue so if someone could explain where to look would be helpful too.

Regards.

Solution

  • Just to add the answer for others how i fixed the issue.

    Gateway Change:

    spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - '*'
    port:
      name: https
      number: 5665
      protocol: HTTPS
      targetPort: 5665
    tls:
      mode: PASSTHROUGH

    VirtualService Change:

      spec:
    gateways:
    - icinga2
    hosts:
    - '*'
    tls:
    - match:
      - port: 5665
      route:
      - destination:
          host: icinga2.default.svc.cluster.local
          port:
            number: 5665

    Please note the TLS tag above the match rule, before somehow i put there http

    And now i am able to make the call to the api via https

    ❯ curl -k https://api.loadbalancer.local.com:5665/v1/bla ; echo
<h1>Unauthorized. Please check your user credentials.</h1>