How do I properly HTTPS secure an application when using Istio?

Question

I'm currently trying to wrap my head around how the typical application flow looks like for a kubernetes application in combination with Istio.

So, for my app I have an asp.net application hosted within a Kubernetes cluster, and I added Istio on top. Here is my gateway & VirtualService:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: appgateway
spec:
  selector:
    istio: ingressgateway
  servers:
    - port:
        number: 80
        name: http
        protocol: HTTP
      hosts:
        - "*"
      tls:
        httpsRedirect: true
    - port:
        number: 443
        name: https
        protocol: HTTPS
      tls:
        mode: SIMPLE
        serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
        privateKey: /etc/istio/ingressgateway-certs/tls.key
      hosts:
        - "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: appvservice
spec:
  hosts:
    - "*"
  gateways:
    - appgateway
  tls:
    - match:
        - port: 443
          sniHosts:
            - "*"
      route:
        - destination:
            host: frontendservice.default.svc.cluster.local
            port:
              number: 443

This is what I came up with after reading through the Istio documentation.

Note that my frontendservice is a very basic ClusterIP service routing to an Asp.Net application which also offers standard 80 / 443 ports.

I have a few questions now:

• Is this the proper approach to securing my application? In essence I want to redirect incoming traffic on port 80 straight to https enabled 443 right at the edge. However, when I try this, there's no redirect going on on port 80 at all.
• Also, the tls route on my VirtualService does not work. There's just no traffic ending up on my pod
• I'm also wondering, is it necessary to even manually add HTTPs to my internal applications, or is this something where Istios internal CA functionality comes in?

I have imagined it to work like this:

1. Request comes in. If it's on port 80, send a redirect to the client in order to send a https request. If it's on port 443, allow the request.
2. The VirtualService providers the instructions what should happen with requests on port 443, and forward it to the service.
3. The service now forwards the request to my app's 443 port.

Thanks in advance - I'm just learning Istio, and I'm a bit baffled why my seemingly proper setup does not work here.

Answer 1

Your Gateway terminates TLS connections, but your VirtualService is configured to accept unterminated TLS connections with TLSRoute.

Compare the example without TLS termination and the example which terminates TLS. Most probably, the "default" setup would be to terminate the TLS connection and configure the VirtualService with a HTTPRoute.

Answer 2

We are also using a similar setup.

• SSL is terminated on ingress gateway, but we use mTLS mode via Gateway CR.
• Services are listening on non-ssl ports but sidecars use mTLS between them so that any container without sidecar cannot talk to service.
• VirtualService is routing to non-ssl port of service.
• Sidecar CR intercepts traffic going to and from non-ssl port of service.
• PeerAuthentication sets mTLS between sidecars.