TLS Origination does not require ServiceEntry for external host over port 80 to work #21914
Labels
area/networking
kind/need more info
Need more info or followup from the issue reporter
lifecycle/automatically-closed
Indicates a PR or issue that has been closed automatically.
lifecycle/stale
Indicates a PR or issue hasn't been manipulated by an Istio team member for a while
Bug description
In our current setup, we are doing TLS origination directly from the proxy sidecar instead of the egress gateway. We have two external hosts that we want to do TLS origination for -
edition.cnn.com
andgithub.com
.We found out that TLS origination can work as long as we have at least one ServiceEntry/Kubernetes Service that listens on port 80 (regardless of hostname).
Steps to reproduce
For edition.cnn.com:
For github.com:
If we create a curl pod (that has the proxy sidecar) and run a curl command against
http://edition.cnn.com
orhttp://github.com
, we will receive acurl: (56) Recv failure: Connection reset by peer.
error.Run
istioctl pc cluster curl-pod.my-namespace
, and we can see that the cluster for the two external hosts exists:However, looking through the proxy config dump of this curl pod, we cannot find a dynamic active listener for
0.0.0.0:80
an no routes for routingedition.cnn.com:80
andgithub.com:80
to the two clusters listed above.cnn-egress
ServiceEntry:Listener for
0.0.0.0:80
is added:The missing dynamic routes for port 80 are also present now, including the one for
github.com
, which we didn't declare port 80 for in its ServiceEntry:http://edition.cnn.com
andhttp://github.com
from the curl pod.Expected Behaviour
After adding the port 80 definition for ServiceEntry of
cnn-egress
, only the TLS origination forhttp://edition.cnn.com
should work.github.com
should continue to be rejected.Also, instead of declaring port 80 on one of the ServiceEntry, adding a dummy Kubernetes Service that listens on port 80 also resulted in the same outcome.
Version (include the output of
istioctl version --remote
andkubectl version
andhelm version
if you used Helm)Istio 1.4.6
How was Istio installed?
Via the Istio helm charts
Environment where bug was observed (cloud vendor, OS, etc)
AWS EKS
The text was updated successfully, but these errors were encountered: