0

unable to access

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: gateway
  namespace: istio-config
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    hosts:
    - "*.mycorp.us.com"
    tls:
      mode: SIMPLE
      credentialName: mycorp-cert
---

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: wf-virtualservice
  namespace: istio-config
spec:
  hosts:
    - "myservicename.mycorp.us.com"
  gateways:
    - gateway
  http:
    - match:
        - uri:
            prefix: /
      route:
        - destination:
            host: myservicename.mycorp.us.com
            port:
              number: 443

I have enabled mTLS with the above manifest files to access the swagger URL of my app using https.

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
spec:
  mtls:
    mode: PERMISSIVE

I get 503 when accessing it. If I disable mTLS, I'm able to access the swagger URL myservicename.mycorp.us.com using HTTP by changing the port in the gateway manifest and replace 443 with 80 where ever applicable, as below

  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts: 
    - "*.mycorp.us.com"

I do have an external LB setup and a static IP setup xx.xxx.x.145

NAME                   TYPE           CLUSTER-IP       EXTERNAL-IP     PORT(S)                                      AGE
istio-ingressgateway   LoadBalancer   xx.xxx.x.145   xx.xxx.x.177   15021:31010/TCP,80:32358/TCP,443:30515/TCP   17d
istiod                 ClusterIP      xx.xxx.235.15    <none>          15010/TCP,15012/TCP,443/TCP,15014/TCP        17d

Unable to figure out what's wrong with my configuration or manifest. Appreciate it if someone helps with this.

Venu Reddy
  • 39
  • 8
  • Where is the "myservicename.mycorp.us.com" at? Is that outside of your cluster, or? Are you trying to do mutual TLS with `myservicename.mycorp.us.com`? – peterj Jul 31 '23 at 20:29
  • "myservicename" is name of my service and ".mycorp.us.com" is my DNS. I know the static IP which is externally accessible is mapped at NXS-T level to the ingressgateway external IP 'xx.xxx.x.177' and I'm able to ping the static IP as well. – Venu Reddy Aug 03 '23 at 18:26
  • It looks like you have some sort of circular dependency there. If a request comes in on myservicename.corp.us.com:443, it gets routed to myservicename.corp.us.com:443 again... It seems like you have to do a match on the `myservicename.mycorp.us.com` and then route to an internal service or a different service outside of the cluster. That's why I asked where the myservicename.mycorp.us.com points to as it's not clear. – peterj Aug 04 '23 at 23:14
  • OK, I understand the question now. It's within the same cluster but at a different namespace. I deploy the service and deployment in different namespace – Venu Reddy Aug 08 '23 at 16:38

0 Answers0