0

I've been looking at terminating TLS in Istio between the redis client and server running in the Kubernetes cluster.

Essentially we have an Istio ingress gateway which handles all traffic to the cluster and I figured it might be able to terminate the TLS and send the traffic unencrypted to the server in the cluster.

However, after trying a TLS route I get a 404 ("response_code_details":"route_not_found"). The ingress gateway logs the correct domain (redis.cluster.company.com) though.

Read somewhere that PASSTHROUGH would make it work, but we want Istio to terminate the TLS.

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: gateway
  namespace: istio-system
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - '*'
    port:
      name: http
      number: 80
      protocol: HTTP
    tls:
      httpsRedirect: true
  - hosts:
    - '*'
    port:
      name: https
      number: 443
      protocol: HTTPS
    tls:
      credentialName: domain-cert
      mode: SIMPLE
---
apiVersion: v1
kind: Service
metadata:
  name: redis
  namespace: infra-redis-poc
spec:
  type: ClusterIP
  ports:
  - protocol: TCP
    port: 6379
    targetPort: 6379
    name: tcp-redis
  selector:
    name: redis-primary
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: primary-deployment
  namespace: infra-redis-poc
  labels:
    name: redis-primary
spec:
  replicas: 1
  selector:
    matchLabels:
      name: redis-primary
  template:
    metadata:
      labels:
        name: redis-primary
    spec:
      subdomain: primary
      containers:
      - name: redis
        image: redis:7.0.11-alpine3.18
        command:
          - "redis-server"
        args:
          - "--protected-mode"
          - "no"
        ports:
        - containerPort: 6379
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: redis-vs
  namespace: infra-redis-poc
spec:
  gateways:
    - istio-system/gateway
  hosts:
  - redis.cluster.company.com
  tls:
  - match:
    - sniHosts:
      - redis.cluster.company.com
    route:
    - destination:
        host: redis.infra-redis-poc.svc.cluster.local

Any ideas welcome!

Kind regards,

Patrik

PatrikJ
  • 2,327
  • 3
  • 24
  • 35

1 Answers1

1

The issue might be related to the tls configuration in the VirtualService. Since you want to terminate TLS at the ingress gateway, you should use the http configuration instead of tls. Here's how you can modify the VirtualService to achieve this:

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: redis-vs
  namespace: infra-redis-poc
spec:
  gateways:
  - istio-system/gateway
  hosts:
  - redis.cluster.company.com
  http:
  - match:
    - uri:
        prefix: "/"
    route:
    - destination:
        host: redis.infra-redis-poc.svc.cluster.local

In this configuration, we replaced the tls section with an http section. The match block is configured to match any URI with a prefix of "/", which means it will match all incoming requests. The route block remains the same, directing traffic to the redis service in the infra-redis-poc namespace.

By using the http configuration, the ingress gateway will terminate TLS and forward unencrypted traffic to the Redis server as desired istio.io.

Chris
  • 5,109
  • 3
  • 19
  • 40
Scrappy Coco
  • 96
  • 3
  • 13
  • That won't work since Redis is not an HTTP based protocol. I tried though just for the sake of it and got `upstream connect error or disconnect/reset before headers. reset reason: connection termination` as expected. – PatrikJ Jun 07 '23 at 07:30