1

I'm using EKS and latest Istio installed via Helm. I'm trying to implement TLS based on a wildcard cert we have for our domain in AWS certificate manager. I'm running into a problem where the connection between the client and the NLB works, with TLS being terminated there, but the NLB can't talk to the istio LB over the secure port. In the AWS console I can rewrite the forwarding rules to forward traffic from port 443 to the standard istio http target, but I can't find a way to do this via code. I'm trying to avoid all click-ops. Here is my Helm overrides for the gateway:

gateways:
  istio-ingressgateway:
    serviceAnnotations:
        service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:XXXXXXXXXXXXXXXXXX:certificate/XXXXXXXXXXXXXXXXXXXX"
        service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
        service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"

So what I'm expecting to occur here is:

Client:443 --> NLB:443 --> Istio Gateway:80
but what I end up with is
Client:443 --> NLB:443 --> Istio Gateway:443

Does anyone have any thoughts on how to get this to work via code? Alternately if someone can point me to a resource to get tls communication between the NLB and Istio working I'm good with that too.

user3088242
  • 11
  • 2

2 Answers2

0

Probably, what is happening is that if you terminate TLS on the load balancer it won't carry SNI to the target group. I had the exact same issue and I ended up solving it by setting the host as '*' on the ingress Gateway and then specifying the hosts on the different VirtualServices (as recommended here and also on istio's official docs).

Bruno_Ferreira
  • 1,305
  • 21
  • 33
0

Your service annotation already correct what is mising is to change istio gateway port 443 to HTTP

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: http-gateway-external
  namespace: istio-ingress
spec:
  selector:
    istio: gateway-external
  servers:
  - hosts:
    - '*'
    port:
      name: http
      number: 80
      protocol: HTTP
  - hosts:
    - '*'
    port:
      name: https
      number: 443
      protocol: HTTP     # Change from HTTPS to HTTP
Jay Sithiporn
  • 91
  • 5
  • 14
  • Newer versions of istio do not allow you to do this. The Admission controller does not allow the resource to be created so this will not work. – mmiara Jan 11 '23 at 20:05