0

I would like my VirtualService to redirect to an HTTPS "Service". For this, I used a DestinationRule specifying a trafficPolicy and the caCertificates. The CA has been successfully placed in the Envoy proxy, which I have manually verified. However, I still encounter this error:

upstream connect error or disconnect/reset before headers. retried and the latest reset reason: connection failure, transport failure reason: TLS error: Secret is not supplied by SDS

My .yaml files:

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: jhipster-registry-gw-virtualservice
  namespace: int
spec:
  gateways:
  - istio-system/martin-gateway
  hosts:
  - jhipster-registry.myDomain.be
  http:
    - route:
      - destination:
          host: jhipster-registry
          port:
            number: 8761

            
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: jhipster-registry-destinationrule
  namespace: int
spec:
  host: jhipster-registry
  trafficPolicy:
    tls:
      mode: SIMPLE
      caCertificates: /etc/jhipster-registry-certs/REGISTRY.crt

infos: I can Curl with cacert jhipster-registry with ip in hosts file

thx

infos: I can Curl with cacert jhipster-registry with ip in hosts file

OniHanzo
  • 1
  • 1
  • SDS is short for secret discovery service. So Istio is looking for a secret containing the certificates. I do not know of the top of my head if you `DestinationRule` configuration is correct, but you should also be able to configure a `Secret` instead of a path. Regarding the path you configured: The file has to exist in the istio-proxy container, not in your application container. – Xaver Kapeller Apr 11 '23 at 14:58
  • as I said : The CA has been successfully placed in the Envoy proxy, which I have manually verified. but yes that seems more correct to add this to SDS – OniHanzo Apr 11 '23 at 15:10
  • I have an other question, If I use Istio as a service mesh, is it a good practice to set up my JHipster registry and my microservices (Spring Boot) with TLS? Or should I force HTTP? After analysis, it seems that the only place where traffic is not encrypted by Istio in the cluster is between the Envoy proxy and the connected microservice/container, is that correct? – OniHanzo Apr 13 '23 at 12:35

0 Answers0