i've been smashing my head agains this issue, i don't know if it's a bug or just misconfiguration. The situation i have is the following:
Inside my cluster, i have the namespace "testing", which has 2 deployments:
Services:
Both have their services working properly and an ALB is configured to be accessed from the browser.
Inside the cluster, from the front end, i can point the backend with a variable to https://back.example.com, and everything works as expected.
However, i was asked to make that communication INSIDE the cluster, so my first attempt was pointing this time to the backend service from the front-end.
Tried to point at: https://back-end-service.local and received this error:
Reason: CORS request did not succeed
Guessing it was because of TLS, i deployed Istio in the namespace, with mutual TLS enabled in STRICT mode. After opening Kiali, i do see the encrypted communication working, however, still i get the same error.
Testing i did:
If i log into the Front-End pod and try to make a curl https://back.example.com, i get a positive response from my API.
If i do a curl https://back-end-service.local, i get curl: (35) SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol.
So in brief, i can communicate to my back-end going outside the cluster and then going back in but if i try to communicate between services INSIDE, it fails with CORS and SSL error.
My config:
kind: PeerAuthentication
apiVersion: security.istio.io/v1beta1
metadata:
name: default
namespace: testing
selfLink: >-
/apis/security.istio.io/v1beta1/namespaces/production/peerauthentications/default
resourceVersion: '7291'
generation: 1
creationTimestamp: '2020-06-06T00:22:24Z'
annotations:
kubectl.kubernetes.io/last-applied-configuration: >
{"apiVersion":"security.istio.io/v1beta1","kind":"PeerAuthentication","metadata":{"annotations":{},"name":"default","namespace":"testing"},"spec":{"mtls":{"mode":"STRICT"}}}
spec:
selector: ~
mtls:
mode: STRICT
portLevelMtls: ~
Back-End-Service:
kind: Service
apiVersion: v1
metadata:
name: back-end-service
namespace: testing
selfLink: /api/v1/namespaces/testing/services/back-end-service
uid: dccf1b
resourceVersion: '7520501'
creationTimestamp: '2020-05-14T21:48:54Z'
labels:
app: back-end
annotations:
kubectl.kubernetes.io/last-applied-configuration: >
{"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"app":"back-end"},"name":"back-end-service","namespace":"testing"},"spec":{"ports":[{"name":"http","port":3001,"targetPort":3001}],"selector":{"app":"back-end"}}}
finalizers:
- service.kubernetes.io/load-balancer-cleanup
spec:
ports:
- name: https
protocol: TCP
port: 3001
targetPort: 3001
nodePort: 30742
selector:
app: back-end
clusterIP: 192.168.1.1
type: LoadBalancer
sessionAffinity: None
externalTrafficPolicy: Cluster
I've tried to change the name to HTTP and HTTPS to the services but it goes beyond that. Any help would be appreciate it!
Can you try using the port 3001 in place of port 443? There is no https probably on port 443 and so the SSL Error.