istio: Setting up a ServiceEntry for HTTPS/TLS with SNI fails with Istio on GKE

Describe the bug Using the example config

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: external-svc-https
spec:
  hosts:
  - api.dropboxapi.com
  - www.googleapis.com
  - api.facebook.com
  location: MESH_EXTERNAL
  ports:
  - number: 443
    name: https
    protocol: TLS
  resolution: DNS

from https://istio.io/docs/reference/config/networking/v1alpha3/service-entry/, running curl https://www.googleapis.com fails with curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number on Ubuntu 18.04 and with curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol on Ubuntu 14.04. The same command works when adding

  - number: 80
    name: http
    protocol: HTTP

to the ServiceEntry and using http:// instead of https://. Using protocol: HTTPS does not make a difference.

I understand that Istio won’t be able to inspect the HTTP traffic; however, the documentation indicates that the above setup should allow detecting the remote host via SNI and then proxying the encrypted connection through the egress.

Expected behavior curl to the https:// url should work as well.

Steps to reproduce the bug

  1. Launch an Ubuntu 18.04 image on Kubernetes:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: xxx
  namespace: xxx
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: xxx
    spec:
      containers:
      - name: xxx
        image: ubuntu:18.04
        imagePullPolicy: Always
        command: ["/bin/sleep"]
        args: ["36000"]e

Version

version.BuildInfo{Version:"1.1.1", GitRevision:"2b1331886076df103179e3da5dc9077fed59c989", User:"root", Host:"7077232d-4c6c-11e9-813c-0a580a2c0506", GolangVersion:"go1.10.4", DockerHub:"docker.io/istio", BuildStatus:"Clean", GitTag:"1.1.0-17-g2b13318"}
Error: error execing into istio-citadel-76f674f64-wskvg citadel container: command terminated with exit code 255

No idea why that command fails — according to the GKE dashboard, I am running Istio 1.0.6-gke.1. The error also occurred with Istio 1.0.3, though.

Client Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.7", GitCommit:"65ecaf0671341311ce6aea0edab46ee69f65d59e", GitTreeState:"clean", BuildDate:"2019-01-24T19:32:00Z", GoVersion:"go1.10.7", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"12+", GitVersion:"v1.12.6-gke.7", GitCommit:"aeaa96020ec0614a8773799058c3b8d58c19b9ff", GitTreeState:"clean", BuildDate:"2019-03-13T11:22:57Z", GoVersion:"go1.10.8b4", Compiler:"gc", Platform:"linux/amd64"}

Installation Installed via Istio on GKE, with permissive mTLS. (I did have strict TLS enabled before, but have since disabled that again.)

Environment Vanilla GKE with Container-Optimized OS, see above for the Kubernetes version.

Cluster state (Partial dump attached.) istio-dump.zip

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 17 (8 by maintainers)

Most upvoted comments

@MrMage We just ran into the same issue. From what I can see, the issue is that GKE only has Istio 1.0.6 and you need 1.1+ for the single ServiceEntry (no VirtualService) configuration.

+1
nesl247 on May 17, 2019
Read more comments on GitHub
← istio: Session affinity doesn't seem to apply to weighted subsets - Envoy support required
istio: Sidecar envoys gets wrong initial config →