Reputation: 21
Istio CORS and SSL Issue inside Kubernetes
i've been smashing my head agains this issue, i don't know if it's a bug or just misconfiguration. The situation i have is the following:
Inside my cluster, i have the namespace "testing", which has 2 deployments:
- Front-end
- Back-end
Services:
- front-end-service.local
- back-end-service.local
Both have their services working properly and an ALB is configured to be accessed from the browser.
Inside the cluster, from the front end, i can point the backend with a variable to https://back.example.com, and everything works as expected.
However, i was asked to make that communication INSIDE the cluster, so my first attempt was pointing this time to the backend service from the front-end.
Tried to point at: https://back-end-service.local and received this error:
Reason: CORS request did not succeed
Guessing it was because of TLS, i deployed Istio in the namespace, with mutual TLS enabled in STRICT mode. After opening Kiali, i do see the encrypted communication working, however, still i get the same error.
Testing i did:
If i log into the Front-End pod and try to make a curl https://back.example.com, i get a positive response from my API.
If i do a curl https://back-end-service.local, i get curl: (35) SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol.
So in brief, i can communicate to my back-end going outside the cluster and then going back in but if i try to communicate between services INSIDE, it fails with CORS and SSL error.
My config:
kind: PeerAuthentication
apiVersion: security.istio.io/v1beta1
metadata:
name: default
namespace: testing
selfLink: >-
/apis/security.istio.io/v1beta1/namespaces/production/peerauthentications/default
resourceVersion: '7291'
generation: 1
creationTimestamp: '2020-06-06T00:22:24Z'
annotations:
kubectl.kubernetes.io/last-applied-configuration: >
{"apiVersion":"security.istio.io/v1beta1","kind":"PeerAuthentication","metadata":{"annotations":{},"name":"default","namespace":"testing"},"spec":{"mtls":{"mode":"STRICT"}}}
spec:
selector: ~
mtls:
mode: STRICT
portLevelMtls: ~
Back-End-Service:
kind: Service
apiVersion: v1
metadata:
name: back-end-service
namespace: testing
selfLink: /api/v1/namespaces/testing/services/back-end-service
uid: dccf1b
resourceVersion: '7520501'
creationTimestamp: '2020-05-14T21:48:54Z'
labels:
app: back-end
annotations:
kubectl.kubernetes.io/last-applied-configuration: >
{"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"app":"back-end"},"name":"back-end-service","namespace":"testing"},"spec":{"ports":[{"name":"http","port":3001,"targetPort":3001}],"selector":{"app":"back-end"}}}
finalizers:
- service.kubernetes.io/load-balancer-cleanup
spec:
ports:
- name: https
protocol: TCP
port: 3001
targetPort: 3001
nodePort: 30742
selector:
app: back-end
clusterIP: 192.168.1.1
type: LoadBalancer
sessionAffinity: None
externalTrafficPolicy: Cluster
I've tried to change the name to HTTP and HTTPS to the services but it goes beyond that. Any help would be appreciate it!
Upvotes: 1
Views: 501
Answers (1)
Reputation: 1898
Can you try using the port 3001 in place of port 443? There is no https probably on port 443 and so the SSL Error.
Upvotes: 1
Related Questions
- Istio access to container SSL endpoint
- Istio passthrough for external services doesn't work
- Istio Service Mesh TLS Config
- Istio Request Authentication - getting Cors with result 404
- Accessing HTTPS Istio Ingress Gateway from Pod
- How do I properly HTTPS secure an application when using Istio?
- Enable HTTPS on Knative serving
- Istio: Can not access service with gateway over HTTP/HTTPS
- Kubernetes pods can not make https request after deploying istio service mesh
- Accessing an HTTPS service egress, istio v1.0