From 4811aa23f85ae864a311842d1e6e0ae939ce3d41 Mon Sep 17 00:00:00 2001 From: Gregory Hanson Date: Mon, 20 Jul 2020 10:09:29 -0400 Subject: [PATCH] Fix for Egress Gateway TLS Origination Task (#7732) * one possible fix for egress tls origination fix * update snips * re-enable egress gateway mtls origination test --- .../egress-gateway-tls-origination/index.md | 20 +++++++++++++------ .../mtls_test.sh | 2 +- .../egress-gateway-tls-origination/snips.sh | 20 +++++++++++++------ 3 files changed, 29 insertions(+), 13 deletions(-) diff --git a/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/index.md b/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/index.md index 6bcb7f38c9..be0d8eaae9 100644 --- a/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/index.md +++ b/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/index.md @@ -105,10 +105,12 @@ be done by the egress gateway, as opposed to by the sidecar in the previous exam servers: - port: number: 80 - name: http-port-for-tls-origination - protocol: HTTP + name: https-port-for-tls-origination + protocol: HTTPS hosts: - edition.cnn.com + tls: + mode: ISTIO_MUTUAL --- apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule @@ -118,6 +120,15 @@ be done by the egress gateway, as opposed to by the sidecar in the previous exam host: istio-egressgateway.istio-system.svc.cluster.local subsets: - name: cnn + trafficPolicy: + loadBalancer: + simple: ROUND_ROBIN + portLevelSettings: + - port: + number: 80 + tls: + mode: ISTIO_MUTUAL + sni: edition.cnn.com EOF {{< /text >}} @@ -649,10 +660,7 @@ to hold the configuration of the NGINX server: hosts: - nginx.example.com tls: - mode: MUTUAL - serverCertificate: /etc/certs/cert-chain.pem - privateKey: /etc/certs/key.pem - caCertificates: /etc/certs/root-cert.pem + mode: ISTIO_MUTUAL --- apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule diff --git a/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/mtls_test.sh b/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/mtls_test.sh index 337a8cf236..d6ba9198ff 100644 --- a/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/mtls_test.sh +++ b/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/mtls_test.sh @@ -86,7 +86,7 @@ _wait_for_istio virtualservice default direct-nginx-through-egress-gateway _wait_for_istio destinationrule default originate-mtls-for-nginx # TODO: Verify HTTP connection to nginx -#_verify_elided snip_configure_mutual_tls_origination_for_egress_traffic_3 "$snip_configure_mutual_tls_origination_for_egress_traffic_3_out" +_verify_elided snip_configure_mutual_tls_origination_for_egress_traffic_3 "$snip_configure_mutual_tls_origination_for_egress_traffic_3_out" #TODO: verify request is actually being routed through egress gateway diff --git a/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/snips.sh b/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/snips.sh index be364b8e23..b9579d0d3e 100644 --- a/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/snips.sh +++ b/content/en/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/snips.sh @@ -75,10 +75,12 @@ spec: servers: - port: number: 80 - name: http-port-for-tls-origination - protocol: HTTP + name: https-port-for-tls-origination + protocol: HTTPS hosts: - edition.cnn.com + tls: + mode: ISTIO_MUTUAL --- apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule @@ -88,6 +90,15 @@ spec: host: istio-egressgateway.istio-system.svc.cluster.local subsets: - name: cnn + trafficPolicy: + loadBalancer: + simple: ROUND_ROBIN + portLevelSettings: + - port: + number: 80 + tls: + mode: ISTIO_MUTUAL + sni: edition.cnn.com EOF } @@ -514,10 +525,7 @@ spec: hosts: - nginx.example.com tls: - mode: MUTUAL - serverCertificate: /etc/certs/cert-chain.pem - privateKey: /etc/certs/key.pem - caCertificates: /etc/certs/root-cert.pem + mode: ISTIO_MUTUAL --- apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule