Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CERTIFICATE_VERIFY_FAILED #8

Open
DamianSkrzypczak opened this issue Jan 24, 2024 · 0 comments · May be fixed by #6
Open

CERTIFICATE_VERIFY_FAILED #8

DamianSkrzypczak opened this issue Jan 24, 2024 · 0 comments · May be fixed by #6

Comments

@DamianSkrzypczak
Copy link
Owner

DamianSkrzypczak commented Jan 24, 2024
edited

Description:

Here, instead of trying to manually set "istio-ca" secret,
we are trying to generate our own root certificate, create root-ca-cert secret
and then configure selfsigned issuer (name kept for convinence)
to use our root-ca-cert instead of generating selfsigned certificate.

This was done in DIFF by commenting one part of issuer

# spec:
#   selfSigned: {}

and uncommenting other

spec:
  ca:
    secretName: root-ca-cert

Then we apply resources and follow steps from documentation and we download istio-ca secret (this is secret generated by istio-ca issuer / certificate pair, not root issuer) and put it manually again as istio-root-ca for istio-csr to use.

It looks like we are breaking communication between istio-ingressgateway and productpage services.

when we try to load to productpage (for example on address http://localhost:31077/productpage)
we will get

upstream connect error or disconnect/reset before headers. retried and the latest reset reason: connection failure, transport failure reason: TLS error: 268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED

and istio-ingressgateway pod will log:

[2024-01-24T13:04:46.181Z] "GET /productpage HTTP/1.1" 503 UF,URX upstream_reset_before_response_started{connection_failure,TLS_error:_268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED} - "TLS_error:_268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED" 0 218 44 - "10.244.0.1" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "496b1b86-6c4a-448b-b5d1-7439a7418126" "localhost:31077" "10.244.0.22:9080" outbound|9080||productpage.default.svc.cluster.local - 10.244.0.11:8080 10.244.0.1:17181 - -

How to reproduce issue:

Just apply DIFF section from below to your makefile and run make setup.
Setup will complete but both (http and https) endpoints will return error upstream connect error or disconnect/reset before headers. retried and the latest reset reason: connection failure, transport failure reason: TLS error: 268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED

DIFF:

diff --git a/Makefile b/Makefile
index b34e46a..c7b26a0 100644
--- a/Makefile
+++ b/Makefile
@@ -13,6 +13,7 @@ setup: \
 	load-cert-manager-images \
 	install-cert-manager \
 	create-istio-namespace \
+	create-root-ca-certificate-secret \
 	apply-cert-manager-issuer-and-certificate \
 	create-istio-root-ca-certificate-secret \
 	install-istio-csr \
@@ -43,6 +44,19 @@ install-cert-manager: ## Install cert-manager (https://cert-manager.io/docs/)
 create-istio-namespace: ## Create istio-system namespace (necessary to be created beforehand for istio-csr)
 	kubectl create namespace istio-system
 
+create-root-ca-certificate-secret:
+	openssl req -x509 -new -nodes \
+    -newkey rsa:4096 \
+    -keyout istio-csr/certs/root-ca.key \
+    -sha256 -days 3650 \
+    -out istio-csr/certs/root-ca.crt \
+    -subj "/O=cert-manager \+ O=cluster.local/CN=istio-ca" \
+    -addext "keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign" \
+    -addext "basicConstraints = critical,CA:TRUE" \
+    -config istio-csr/openssl.cnf
+	
+	kubectl create secret tls root-ca-cert --cert=istio-csr/certs/root-ca.crt --key=istio-csr/certs/root-ca.key -n istio-system
+
 apply-cert-manager-issuer-and-certificate: ## Apply istio-csr selfsigned root issuer / certificate / istio-ca issuer  
 	kubectl apply -f istio-csr/
 	kubectl wait --for=condition=Ready --timeout=600s issuer/selfsigned -n istio-system
diff --git a/istio-csr/istio-csr-root-issuer.yaml b/istio-csr/istio-csr-root-issuer.yaml
index 3a1a89d..69f765a 100644
--- a/istio-csr/istio-csr-root-issuer.yaml
+++ b/istio-csr/istio-csr-root-issuer.yaml
@@ -4,8 +4,8 @@ kind: Issuer
 metadata:
   name: selfsigned
   namespace: istio-system
-spec:
-  selfSigned: {}
+# spec:
+#   selfSigned: {}
 ##################################
 # For some reason, custom certificate
 # uploaded into secret results in
@@ -13,7 +13,7 @@ spec:
 # in ingressgateway when its trying to connect to productpage
 # TODO: research that further
 #
-# spec:
-#   ca:
-#     secretName: root-ca-cert
+spec:
+  ca:
+    secretName: root-ca-cert
 #################################

LOGS:

❯ kubectl logs -n istio-system -l app=istio-ingressgateway

2024-01-24T12:56:08.944747Z     info    FLAG: --concurrency="0"
2024-01-24T12:56:08.944763Z     info    FLAG: --domain="istio-system.svc.cluster.local"
2024-01-24T12:56:08.944767Z     info    FLAG: --help="false"
2024-01-24T12:56:08.944769Z     info    FLAG: --log_as_json="false"
2024-01-24T12:56:08.944771Z     info    FLAG: --log_caller=""
2024-01-24T12:56:08.944773Z     info    FLAG: --log_output_level="default:info"
2024-01-24T12:56:08.944775Z     info    FLAG: --log_rotate=""
2024-01-24T12:56:08.944777Z     info    FLAG: --log_rotate_max_age="30"
2024-01-24T12:56:08.944778Z     info    FLAG: --log_rotate_max_backups="1000"
2024-01-24T12:56:08.944780Z     info    FLAG: --log_rotate_max_size="104857600"
2024-01-24T12:56:08.944782Z     info    FLAG: --log_stacktrace_level="default:none"
2024-01-24T12:56:08.944795Z     info    FLAG: --log_target="[stdout]"
2024-01-24T12:56:08.944798Z     info    FLAG: --meshConfig="./etc/istio/config/mesh"
2024-01-24T12:56:08.944801Z     info    FLAG: --outlierLogPath=""
2024-01-24T12:56:08.944804Z     info    FLAG: --proxyComponentLogLevel="misc:error"
2024-01-24T12:56:08.944809Z     info    FLAG: --proxyLogLevel="warning"
2024-01-24T12:56:08.944812Z     info    FLAG: --serviceCluster="istio-proxy"
2024-01-24T12:56:08.944815Z     info    FLAG: --stsPort="0"
2024-01-24T12:56:08.944817Z     info    FLAG: --templateFile=""
2024-01-24T12:56:08.944821Z     info    FLAG: --tokenManagerPlugin="GoogleTokenExchange"
2024-01-24T12:56:08.944827Z     info    FLAG: --vklog="0"
2024-01-24T12:56:08.944832Z     info    Version 1.16.1-f6d7bf648e571a6a523210d97bde8b489250354b-Clean
2024-01-24T12:56:08.946135Z     info    Maximum file descriptors (ulimit -n): 1073741816
2024-01-24T12:56:08.946240Z     info    Proxy role      ips=[10.244.0.11] type=router id=istio-ingressgateway-ff57d9cc9-6p6tg.istio-system domain=istio-system.svc.cluster.local
2024-01-24T12:56:08.946288Z     info    Apply mesh config from file accessLogFile: /dev/stdout
defaultConfig:
  discoveryAddress: istiod.istio-system.svc:15012
  proxyMetadata: {}
  tracing:
    zipkin:
      address: zipkin.istio-system:9411
enablePrometheusMerge: true
extensionProviders:
- envoyOtelAls:
    port: 4317
    service: opentelemetry-collector.istio-system.svc.cluster.local
  name: otel
rootNamespace: istio-system
trustDomain: cluster.local
2024-01-24T12:56:08.950128Z     info    Effective config: binaryPath: /usr/local/bin/envoy
configPath: ./etc/istio/proxy
controlPlaneAuthPolicy: MUTUAL_TLS
discoveryAddress: istiod.istio-system.svc:15012
drainDuration: 45s
parentShutdownDuration: 60s
proxyAdminPort: 15000
serviceCluster: istio-proxy
statNameLength: 189
statusPort: 15020
terminationDrainDuration: 5s
tracing:
  zipkin:
    address: zipkin.istio-system:9411

2024-01-24T12:56:08.950149Z     info    JWT policy is third-party-jwt
2024-01-24T12:56:08.950152Z     info    using credential fetcher of JWT type in cluster.local trust domain
2024-01-24T12:56:09.051465Z     info    Workload SDS socket not found. Starting Istio SDS Server
2024-01-24T12:56:09.051518Z     info    CA Endpoint cert-manager-istio-csr.cert-manager.svc:443, provider Citadel
2024-01-24T12:56:09.051539Z     info    Using CA cert-manager-istio-csr.cert-manager.svc:443 cert with certs: var/run/secrets/istio/root-cert.pem
2024-01-24T12:56:09.051666Z     info    citadelclient   Citadel client using custom root cert: var/run/secrets/istio/root-cert.pem
2024-01-24T12:56:09.054135Z     info    Opening status port 15020
2024-01-24T12:56:09.070783Z     info    ads     All caches have been synced up in 127.871268ms, marking server ready
2024-01-24T12:56:09.071098Z     info    xdsproxy        Initializing with upstream address "istiod.istio-system.svc:15012" and cluster "Kubernetes"
2024-01-24T12:56:09.072916Z     info    Pilot SAN: [istiod.istio-system.svc]
2024-01-24T12:56:09.073707Z     info    sds     Starting SDS grpc server
2024-01-24T12:56:09.073791Z     info    starting Http service at 127.0.0.1:15004
2024-01-24T12:56:09.075470Z     info    Starting proxy agent
2024-01-24T12:56:09.075510Z     info    starting
2024-01-24T12:56:09.075542Z     info    Envoy command: [-c etc/istio/proxy/envoy-rev.json --drain-time-s 45 --drain-strategy immediate --parent-shutdown-time-s 60 --local-address-ip-version v4 --file-flush-interval-msec 1000 --disable-hot-restart --log-format %Y-%m-%dT%T.%fZ    %l      envoy %n        %v -l warning --component-log-level misc:error]
2024-01-24T12:56:09.166785Z     info    xdsproxy        connected to upstream XDS server: istiod.istio-system.svc:15012
2024-01-24T12:56:09.230338Z     info    ads     ADS: new connection for node:istio-ingressgateway-ff57d9cc9-6p6tg.istio-system-1
2024-01-24T12:56:09.230401Z     info    ads     ADS: new connection for node:istio-ingressgateway-ff57d9cc9-6p6tg.istio-system-2
2024-01-24T12:56:09.573023Z     info    cache   generated new workload certificate      latency=499.325735ms ttl=59m59.426994393s
2024-01-24T12:56:09.573054Z     info    cache   Root cert has changed, start rotating root cert
2024-01-24T12:56:09.573065Z     info    ads     XDS: Incremental Pushing:0 ConnectedEndpoints:2 Version:
2024-01-24T12:56:09.573123Z     info    cache   returned workload trust anchor from cache       ttl=59m59.426880594s
2024-01-24T12:56:09.573148Z     info    cache   returned workload certificate from cache        ttl=59m59.426859765s
2024-01-24T12:56:09.573342Z     info    cache   returned workload trust anchor from cache       ttl=59m59.426663626s
2024-01-24T12:56:09.573416Z     info    ads     SDS: PUSH request for node:istio-ingressgateway-ff57d9cc9-6p6tg.istio-system resources:1 size:5.3kB resource:default
2024-01-24T12:56:09.573452Z     info    ads     SDS: PUSH request for node:istio-ingressgateway-ff57d9cc9-6p6tg.istio-system resources:1 size:1.3kB resource:ROOTCA
2024-01-24T12:56:09.573504Z     info    cache   returned workload trust anchor from cache       ttl=59m59.426499646s
2024-01-24T12:56:09.656025Z     info    Readiness succeeded in 717.894888ms
2024-01-24T12:56:09.656265Z     info    Envoy proxy is ready
[2024-01-24T12:56:41.158Z] "GET /productpage HTTP/1.1" 503 UF,URX upstream_reset_before_response_started{connection_failure,TLS_error:_268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED} - "TLS_error:_268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED" 0 218 66 - "10.244.0.1" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "83510ddc-dc2b-48b9-a91f-0a3e202e4397" "localhost:31077" "10.244.0.22:9080" outbound|9080||productpage.default.svc.cluster.local - 10.244.0.11:8080 10.244.0.1:43686 - -
[2024-01-24T12:56:41.294Z] "GET /favicon.ico HTTP/1.1" 404 NR route_not_found - "-" 0 0 0 - "10.244.0.1" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "4cc3d8dc-940c-4110-ad61-b882cb3a21a8" "localhost:31077" "-" - - 10.244.0.11:8080 10.244.0.1:43686 - -
[2024-01-24T12:56:42.951Z] "GET /productpage HTTP/2" 503 UF,URX upstream_reset_before_response_started{connection_failure,TLS_error:_268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED} - "TLS_error:_268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED" 0 218 46 - "10.244.0.1" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "dff0e8fb-a62d-4a16-9ff7-591d52593b97" "localhost:32360" "10.244.0.22:9080" outbound|9080||productpage.default.svc.cluster.local - 10.244.0.11:8443 10.244.0.1:28802 localhost -
[2024-01-24T12:56:43.075Z] "GET /favicon.ico HTTP/2" 404 NR route_not_found - "-" 0 0 0 - "10.244.0.1" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "de2860ca-5a6c-47f2-9bdd-8d56c7aeae4c" "localhost:32360" "-" - - 10.244.0.11:8443 10.244.0.1:28802 localhost -
[2024-01-24T13:04:45.838Z] "GET /productpage HTTP/2" 503 UF,URX upstream_reset_before_response_started{connection_failure,TLS_error:_268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED} - "TLS_error:_268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED" 0 218 72 - "10.244.0.1" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "5f61b16c-ccf0-41b9-9f61-d73c4245a116" "localhost:32360" "10.244.0.22:9080" outbound|9080||productpage.default.svc.cluster.local - 10.244.0.11:8443 10.244.0.1:28802 localhost -
[2024-01-24T13:04:46.181Z] "GET /productpage HTTP/1.1" 503 UF,URX upstream_reset_before_response_started{connection_failure,TLS_error:_268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED} - "TLS_error:_268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED" 0 218 44 - "10.244.0.1" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "496b1b86-6c4a-448b-b5d1-7439a7418126" "localhost:31077" "10.244.0.22:9080" outbound|9080||productpage.default.svc.cluster.local - 10.244.0.11:8080 10.244.0.1:17181 - -
[2024-01-24T13:04:46.363Z] "GET /productpage HTTP/1.1" 503 UF,URX upstream_reset_before_response_started{connection_failure,TLS_error:_268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED} - "TLS_error:_268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED" 0 218 31 - "10.244.0.1" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "c65f4875-d2c2-47fd-b819-3f2bc0b22287" "localhost:31077" "10.244.0.22:9080" outbound|9080||productpage.default.svc.cluster.local - 10.244.0.11:8080 10.244.0.1:17181 - -
[2024-01-24T13:04:46.538Z] "GET /productpage HTTP/1.1" 503 UF,URX upstream_reset_before_response_started{connection_failure,TLS_error:_268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED} - "TLS_error:_268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED" 0 218 29 - "10.244.0.1" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "8bc69ed7-6410-4050-abe9-ef358bf3c794" "localhost:31077" "10.244.0.22:9080" outbound|9080||productpage.default.svc.cluster.local - 10.244.0.11:8080 10.244.0.1:17181 - -
[2024-01-24T13:04:46.722Z] "GET /productpage HTTP/1.1" 503 UF,URX upstream_reset_before_response_started{connection_failure,TLS_error:_268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED} - "TLS_error:_268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED" 0 218 39 - "10.244.0.1" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "bb67faa6-ec21-4e48-b458-434b523f5fbd" "localhost:31077" "10.244.0.22:9080" outbound|9080||productpage.default.svc.cluster.local - 10.244.0.11:8080 10.244.0.1:17181 - -
[2024-01-24T13:04:47.555Z] "GET /productpage HTTP/1.1" 503 UF,URX upstream_reset_before_response_started{connection_failure,TLS_error:_268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED} - "TLS_error:_268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED" 0 218 21 - "10.244.0.1" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "56785243-505b-4e6d-8fff-52fa401a6e6a" "localhost:31077" "10.244.0.22:9080" outbound|9080||productpage.default.svc.cluster.local - 10.244.0.11:8080 10.244.0.1:17181 - -
[2024-01-24T13:04:47.746Z] "GET /productpage HTTP/1.1" 503 UF,URX upstream_reset_before_response_started{connection_failure,TLS_error:_268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED} - "TLS_error:_268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED" 0 218 18 - "10.244.0.1" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "c95bafc3-0af6-470c-a8ff-eed8ef36a5e5" "localhost:31077" "10.244.0.22:9080" outbound|9080||productpage.default.svc.cluster.local - 10.244.0.11:8080 10.244.0.1:17181 - -
[2024-01-24T13:04:47.939Z] "GET /productpage HTTP/1.1" 503 UF,URX upstream_reset_before_response_started{connection_failure,TLS_error:_268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED} - "TLS_error:_268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED" 0 218 43 - "10.244.0.1" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "b1884e03-ef09-9e4c-8b36-b99f4aa1a13c" "localhost:31077" "10.244.0.22:9080" outbound|9080||productpage.default.svc.cluster.local - 10.244.0.11:8080 10.244.0.1:17181 - -
[2024-01-24T13:04:48.130Z] "GET /productpage HTTP/1.1" 503 UF,URX upstream_reset_before_response_started{connection_failure,TLS_error:_268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED} - "TLS_error:_268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED" 0 218 23 - "10.244.0.1" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "f2af831e-07fb-4f50-a88e-323412f529c0" "localhost:31077" "10.244.0.22:9080" outbound|9080||productpage.default.svc.cluster.local - 10.244.0.11:8080 10.244.0.1:17181 - -
[2024-01-24T13:04:48.386Z] "GET /productpage HTTP/1.1" 503 UF,URX upstream_reset_before_response_started{connection_failure,TLS_error:_268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED} - "TLS_error:_268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED" 0 218 34 - "10.244.0.1" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "9ec68b9e-9faa-4b13-8e1f-6bfde9dd2641" "localhost:31077" "10.244.0.22:9080" outbound|9080||productpage.default.svc.cluster.local - 10.244.0.11:8080 10.244.0.1:17181 - -
[2024-01-24T13:04:48.752Z] "GET /productpage HTTP/1.1" 503 UF,URX upstream_reset_before_response_started{connection_failure,TLS_error:_268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED} - "TLS_error:_268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED" 0 218 53 - "10.244.0.1" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "53780be5-40e7-4055-9566-dfe39acffc07" "localhost:31077" "10.244.0.22:9080" outbound|9080||productpage.default.svc.cluster.local - 10.244.0.11:8080 10.244.0.1:17181 - -
[2024-01-24T13:04:49.461Z] "GET /productpage HTTP/1.1" 503 UF,URX upstream_reset_before_response_started{connection_failure,TLS_error:_268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED} - "TLS_error:_268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED" 0 218 67 - "10.244.0.1" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "cc6c3745-8519-4d48-aabf-feab022bd1f1" "localhost:31077" "10.244.0.22:9080" outbound|9080||productpage.default.svc.cluster.local - 10.244.0.11:8080 10.244.0.1:17181 - -
[2024-01-24T13:04:49.574Z] "GET /favicon.ico HTTP/1.1" 404 NR route_not_found - "-" 0 0 0 - "10.244.0.1" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "5b86e4d2-a1a9-427e-be9c-92d5e9e4920f" "localhost:31077" "-" - - 10.244.0.11:8080 10.244.0.1:17181 - -
[2024-01-24T13:04:49.691Z] "GET /productpage HTTP/1.1" 503 UF,URX upstream_reset_before_response_started{connection_failure,TLS_error:_268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED} - "TLS_error:_268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED" 0 218 26 - "10.244.0.1" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "c112e156-fcfe-975d-af3d-58a2ee7751af" "localhost:31077" "10.244.0.22:9080" outbound|9080||productpage.default.svc.cluster.local - 10.244.0.11:8080 10.244.0.1:17181 - -
[2024-01-24T13:04:49.743Z] "GET /favicon.ico HTTP/1.1" 404 NR route_not_found - "-" 0 0 0 - "10.244.0.1" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "a03c17b1-96f9-41ea-baf6-852dfd16f0df" "localhost:31077" "-" - - 10.244.0.11:8080 10.244.0.1:17181 - -
[2024-01-24T13:04:49.887Z] "GET /productpage HTTP/1.1" 503 UF,URX upstream_reset_before_response_started{connection_failure,TLS_error:_268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED} - "TLS_error:_268435581:SSL_routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED" 0 218 46 - "10.244.0.1" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "229186a5-c1f3-4f04-8da2-a0c44aabcff9" "localhost:31077" "10.244.0.22:9080" outbound|9080||productpage.default.svc.cluster.local - 10.244.0.11:8080 10.244.0.1:17181 - -
[2024-01-24T13:04:49.969Z] "GET /favicon.ico HTTP/1.1" 404 NR route_not_found - "-" 0 0 0 - "10.244.0.1" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" "a49a1092-ea23-4bfd-9fce-74da424877e1" "localhost:31077" "-" - - 10.244.0.11:8080 10.244.0.1:17181 - -
@DamianSkrzypczak DamianSkrzypczak linked a pull request Jan 24, 2024 that will close this issue
Add istio-csr integration #6
Draft
@DamianSkrzypczak DamianSkrzypczak linked a pull request Jan 24, 2024 that will close this issue
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add istio-csr integration DamianSkrzypczak/istio-local-cluster
1 participant
@DamianSkrzypczak