Accessing service using istio ingress gives 503 error when mTLS is enabled
The problem is probably as follows: istio-ingressgateway initiates mTLS to hr--gateway-service on port 80, but hr--gateway-service expects plain HTTP connections.
There are multiple solutions:
- Define a DestinationRule to instruct clients to disable mTLS on calls to hr--gateway-service
apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: hr--gateway-service-disable-mtls spec: host: hr--gateway-service.default.svc.cluster.local trafficPolicy: tls: mode: DISABLE
- Instruct hr-gateway-service to accept mTLS connections. For that, configure the server TLS options on port 80 to be
MUTUAL
and to use Istio certificates and the private key. SpecifyserverCertificate
,caCertificates
andprivateKey
to be/etc/certs/cert-chain.pem
,/etc/certs/root-cert.pem
,/etc/certs/key.pem
, respectively.