Istio: envoy proxy to https container in same pod

Question

I've got a container that runs a https service on port 9999. The service is as follows:

apiVersion: v1
kind: Service
metadata:
  labels:
    role: pingfederate2
  name: pingfederate2
spec:
  ports:
    - name: https
      port: 443
      targetPort: 9999
  selector:
    role: pingfederate2

The envoy log generated when going through the gateway is

[2020-03-19T08:42:37.356Z] "- - -" 0 - "-" "-" 2046 7 11 - "-" "-" "-" "-" "127.0.0.1:9999" inbound|443|https|pingfederate2.default.svc.cluster.local 127.0.0.1:39954 10.25.132.9:9999 10.25.131.133:56890 outbound_.443_._.pingfederate2.default.svc.cluster.local -

To me, it looks like envoy is trying to communicate with the pod over http, not https. Is there a way to force Envoy to use https to locally communicate with the container? I could be barking up the wrong tree though.

score 1 · Accepted Answer · answered Mar 19 '20 at 09:03

1

Changing the destination rule from ISTIO_MUTUAL to SIMPLE fixed this issue. There's obviously a problem with my config with the mTLS.

answered Mar 19 '20 at 09:03

James Elliott

121
4

Istio: envoy proxy to https container in same pod

1 Answers1