0

I am intercepting a service at port 389 and applying tls-origination, so my destination rules is as follows:

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: ldap
spec:
  host: ...
  subsets:
  - name: tls-origination
    trafficPolicy:
      loadBalancer:
        simple: ROUND_ROBIN
      portLevelSettings:
      - port:
          number: 636
        tls:
          mode: SIMPLE
          caCertificates: /path/to/certificate/ldap.pem

The value /path/to/certificate/ldap.pem is the path in my local machine to the file. When I look at the istio proxy logs, after having applied the destination rules, I get the following error:

type.googleapis.com/envoy.api.v2.Cluster rejected: Error adding/updating cluster(s) outbound|636|tls-origination|...: Invalid path: /path/to/certificate/ldap.pem

What am I doing wrong? istio is being deployed inside kubernetes

Learner
  • 29
  • 1
  • 5
  • Hi @Learner, could you tell me which version of istio do you use? Secondary, I cannot see `protocol: TLS` line in your yaml file. Please also look at [this page](https://www.gitmemory.com/issue/istio/istio.io/7063/642003968). In the section **Errors** is described problem very similar to yours. – Mikołaj Głodziak May 12 '21 at 09:29
  • @MikołajGłodziak Thanks a lot for your reply the tls protocol is on the service entry and in the virtual service .yaml files. I will have a look at the link that you have send me – Learner May 12 '21 at 10:07
  • @MikołajGłodziak I am using istio 1.6 with the gateway configured – Learner May 12 '21 at 10:09
  • if you didn't find a solution please edit your question by adding your other yaml files. How did you also deploy Kubernetes? – Mikołaj Głodziak May 12 '21 at 12:20
  • @MikołajGłodziak k3 kubernetes deployed via k3d tool. I am currently looking into, I see that maybe it has deployed as a secret in the sidecard – Learner May 12 '21 at 12:36
  • correction I am using istio 1.6 with NO gateway configured – Learner May 12 '21 at 13:10
  • you can also look at [very similar problem](https://discuss.istio.io/t/trust-custom-root-ca-on-egress-gateway/3063/5). Did you try configure gateway? – Mikołaj Głodziak May 13 '21 at 08:31
  • @MikołajGłodziak Hi, thanks for the replay no, I did not, that is what I am going to do today to see if I can solve the isse – Learner May 13 '21 at 09:13
  • @MikołajGłodziak The problem with the first approach is that the certificate as to be on the service to be intercepted and I was adding to istiod – Learner May 13 '21 at 16:56
  • first at all: you are using unsupported [Itsio version 1.6](https://istio.io/latest/about/supported-releases/#support-status-of-istio-releases) – Mikołaj Głodziak May 14 '21 at 11:53
  • Secondly: What are you trying to set-up?: 1. TLS for [egress traffic](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-tls-origination/#tls-origination-for-egress-traffic); 2. TLS for [egress-gatewy](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/#egress-gateway-for-https-traffic); 3. TLS for [egress-gateway simple or mutaul mode with custom cacerts](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway-tls-origination-sds/)? – Mikołaj Głodziak May 14 '21 at 11:53

1 Answers1

0

In my case, I had to add the file into the same POD as the service being intercepted. I have used the same approach described here (i.e., using annotations) the certificate gets added to the Proxy side car.

Learner
  • 29
  • 1
  • 5