I have a grpc asp.net server which is sitting behind istio ingress gateway. grpc request works while using TCP as gateway protocol but it fails if protocol is set to HTTPS. I am trying to use istio to terminate ssl/tls grpc request but no luck so far.
# working tcp gateway
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: gateway
namespace: testing
spec:
selector:
istio: ingress # using istio ingress gateway
servers:
- port:
number: 9093
name: tcp-9093
protocol: TCP
hosts:
- "mydomain.com"
# failing https gateway
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: gateway
namespace: testing
spec:
selector:
istio: ingress # use istio ingress gateway
servers:
- port:
number: 9093
name: https-9093
protocol: HTTPS
hosts:
- "mydomain.com"
tls:
mode: SIMPLE
credentialName: my_tls_cred_secret
Below is the response client is getting with https
StatusCode="Unavailable", Detail="upstream connect error or disconnect/reset before headers. reset reason: remote reset"
Below is the logs from istio ingress gateway controller
[2023-08-09T08:22:26.459Z] "POST /greet.Greeter/SayHello HTTP/2" 200 UR upstream_reset_before_response_started{remote_reset} - "-" 12 0 2 - "91.145.126.17" "grpc-dotnet/2.54.0 (.NET 7.0.9; CLR 7.0.9; net7.0; osx; x64)" "706488d1-1954-4dc5-a252-d1df34a23576" "mydomain.com:9093" "10.244.0.41:5001" outbound|5001||app-svc.testing.svc.cluster.local 10.244.0.12:35426 10.244.0.12:9093 91.145.126.17:62974 mydomain.com -
versions:
It seems it is because of the :scheme mismatch since original request is in https and istio terminates it to http. This mismatch is then detected by kestrel server in asp.net which rejects the request. To allow the request to go through KestrelServerOptions.AllowAlternate = true need to be set.
WebApplicationBuilder builder = WebApplication.CreateBuilder(args);
builder.Services.AddGrpc()
builder.WebHost.ConfigureKestrel(options =>
{
options.AllowAlternateSchemes = true;
});