Deploy a service entry with ALLOW_ANY policy set makes all other HTTPs requests fail #16450
Description
Bug description
As soon as I install a service entry for a specific application and with the policy set to defaults (ALLOW_ANY), all the pods in the cluster cannot connect anymore to external HTTPS services, returning curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol.
Affected product area (please put an X in all that apply)
[ ] Configuration Infrastructure
[ ] Docs
[ ] Installation
[X] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
Expected behavior
HTTPS connections should keep working as normal, i
Steps to reproduce the bug
-
I install Istio with the default ALLOW_ANY policy (default - nothing extra specified in the installation - look below)
-
I install some applications. They can successfully connect to external services making HTTPS connections (for example, I can do
curl https://google.com) -
I install the following service entry, needed for a very specific application only, to perform TLS origination from the egress gateway:
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: special-service
spec:
hosts:
- my.external.host.com
location: MESH_EXTERNAL
ports:
- number: 80
name: http-port
protocol: HTTP
- number: 443
name: http-port-for-gad-test-tls-orgination
protocol: HTTP
resolution: DNS
-
As soon as I install the service entry, https connections from any POD don't work anymore, returning the following error
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol -
As a side note, HTTP connections keep working normally.
-
As soon as I delete the service entry I can again connect to HTTPS services
Version (include the output of istioctl version --remote and kubectl version)
$ istioctl version
client version: 1.2.2
citadel version: 1.2.2
egressgateway version: 1.2.2
galley version: 1.2.2
ingressgateway version: 1.2.2
pilot version: 1.2.2
policy version: 1.2.2
sidecar-injector version: 1.2.2
telemetry version: 1.2.2
Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.2", GitCommit:"66049e3b21efe110454d67df4fa62b08ea79a19b", GitTreeState:"clean", BuildDate:"2019-05-16T16:23:09Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.5", GitCommit:"2166946f41b36dea2c4626f90a77706f426cdea2", GitTreeState:"clean", BuildDate:"2019-03-25T15:19:22Z", GoVersion:"go1.11.5", Compiler:"gc", Platform:"linux/amd64"}
How was Istio installed?
#!/usr/bin/env bash
# Istio installation - start
# Add locally the Istio helm repository and download repo index
helm repo add istio.io https://storage.googleapis.com/istio-release/releases/1.2.2/charts/
helm repo update
# Create Istio namespace
kubectl create namespace istio-system || true
# Install Istio CRDs
helm install istio.io/istio-init --name istio-init --namespace istio-system || true
# Wait until Istio CRDs are equal to 23.
while [ $(kubectl get crds | grep 'istio.io' | wc -l) -ne 23 ]
do
echo Istio CRDs should be 23. Waiting for Istio CRDs to be created...
done
echo Istio CRDs successfully created. Moving on.
# Install Istio using the default profile (more options at https://istio.io/docs/setup/kubernetes/install/helm/)
helm install istio.io/istio \
--name istio \
--namespace istio-system \
--set 'gateways.istio-ingressgateway.loadBalancerIP'='X.Y.W.Z' \
--set 'gateways.istio-egressgateway.enabled'=true \
|| true
# Istio installation - end
Environment where bug was observed (cloud vendor, OS, etc)
Azure AKS