Use port 80 for TLS origination by egress gateway (#3200)

* use port 80 with protocol HTTPS for mTLS on egress gateway * rewrite the instructions about why to apply mutual TLS * make the protocol of 443 HTTPS * allow monitor -> allow to monitor
2019-02-07 22:06:24 +02:00 · 2019-02-07 22:06:24 +02:00 · 0529d549bf
parent 2606b1f522
commit 0529d549bf
1 changed files with 16 additions and 10 deletions
--- a/content/docs/examples/advanced-gateways/egress-gateway-tls-origination/index.md
+++ b/content/docs/examples/advanced-gateways/egress-gateway-tls-origination/index.md
@ -60,11 +60,11 @@ be done by the egress gateway, as opposed to by the sidecar in the previous exam
      - edition.cnn.com
      ports:
      - number: 80
-        name: http-port
+        name: http
        protocol: HTTP
      - number: 443
-        name: http-port-for-tls-origination
-        protocol: HTTP
+        name: https
+        protocol: HTTPS
      resolution: DNS
    EOF
    {{< /text >}}
@ -86,8 +86,14 @@ be done by the egress gateway, as opposed to by the sidecar in the previous exam
 1.  Create an egress `Gateway` for _edition.cnn.com_, port 443, and a destination rule for
    sidecar requests that will be directed to the egress gateway.

-    Choose the instructions corresponding to whether or not you have
-    [mutual TLS authentication](/docs/tasks/security/mutual-tls/) enabled in Istio.
+    Choose the instructions corresponding to whether or not you want to enable
+    [mutual TLS Authentication](/docs/tasks/security/mutual-tls/) between the source pod and the egress gateway.
+
+    {{< idea >}}
+    You may want to enable mutual TLS so the traffic between the source pod and the egress gateway will be encrypted.
+    In addition, mutual TLS will allow the egress gateway to monitor the identity of the source pods and enable Mixer
+    policy enforcement based on that identity.
+    {{< /idea >}}

    {{< tabset cookie-name="mtls" >}}

@ -104,7 +110,7 @@ be done by the egress gateway, as opposed to by the sidecar in the previous exam
        istio: egressgateway
      servers:
      - port:
-          number: 443
+          number: 80
          name: https
          protocol: HTTPS
        hosts:
@ -128,7 +134,7 @@ be done by the egress gateway, as opposed to by the sidecar in the previous exam
            simple: ROUND_ROBIN
          portLevelSettings:
          - port:
-              number: 443
+              number: 80
            tls:
              mode: ISTIO_MUTUAL
              sni: edition.cnn.com
@ -150,7 +156,7 @@ be done by the egress gateway, as opposed to by the sidecar in the previous exam
        istio: egressgateway
      servers:
      - port:
-          number: 443
+          number: 80
          name: http-port-for-tls-origination
          protocol: HTTP
        hosts:
@ -196,12 +202,12 @@ be done by the egress gateway, as opposed to by the sidecar in the previous exam
            host: istio-egressgateway.istio-system.svc.cluster.local
            subset: cnn
            port:
-              number: 443
+              number: 80
          weight: 100
      - match:
        - gateways:
          - istio-egressgateway
-          port: 443
+          port: 80
        route:
        - destination:
            host: edition.cnn.com