Bug Description
My cluster uses Istio and one of service (java) which is deployed in mesh needs to connect to external resource x.cmp.net/doc.pdf with http and 443 port. This external resource using trusted wildcard cert (DigiCert) with subjects *.cmp.net and cmp.net.
When I try to use openssl to verify (from app container) ssl cert I'm getting Google cert (?? istio cert ?):
opt$ **openssl s_client -showcerts -connect x.cmp.net:443**
CONNECTED(00000003)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = *.google.com
verify return:1
---
Certificate chain
0 s:CN = *.google.com
Application is written in java and when app tries to download resource getting:
No subject alternative DNS name matching shipjobmt.ista.net found.
My configuration:
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: internalnet
namespace: ppct
spec:
hosts:
- x.cmp.net
- y.cmp.net
- z.cmp.net
exportTo:
- "."
ports:
- number: 443
name: https
protocol: HTTPS
location: MESH_EXTERNAL
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: xinternalnet
namespace: ppct
spec:
host: x.cmp.net
trafficPolicy:
tls:
mode: SIMPLE
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: yinternalnet
namespace: ppct
spec:
host: y.cmp.net
trafficPolicy:
tls:
mode: SIMPLE
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: zinternalnet
namespace: ppct
spec:
host: z.cmp.net
trafficPolicy:
tls:
mode: SIMPLE
I also have blocking mode on:
kubectl get istiooperator installed-state -n istio-system -o jsonpath='{.spec.meshConfig.outboundTrafficPolicy.mode}'
REGISTRY_ONLY
Version
`istioctl version`
client version: 1.11.0
control plane version: 1.11.0
data plane version: 1.11.0 (65 proxies)
`kubectl version --short`
Client Version: v1.19.9
Server Version: v1.19.9
Additional Information
No response
