有人可以帮助我将https://istio.io/docs/reference/config/networking/envoy-filter/和https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/auth/cert.proto组合在一起,以允许通过出口MTL发起在特定的传出域上进行tls_renegotiation吗?
我有几个第三方服务,通过出口网关的istio mtls起源可以完美地工作,并且正在调试不起作用的第三方服务。 istio重试3次,抛出503UC。
2020-02-26 22:22:20.817][55][debug][connection] [external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:201] [C112] TLS error: 268435638:SSL routines:OPENSSL_internal:NO_RENEGOTIATION 268435650:SSL routines:OPENSSL_internal:PROTOCOL_IS_SHUTDOWN
[2020-02-26 22:22:20.817][55][debug][client] [external/envoy/source/common/http/codec_client.cc:82] [C112] disconnect. resetting 1 pending requests
[2020-02-26 22:22:20.817][55][debug][client] [external/envoy/source/common/http/codec_client.cc:105] [C112] request reset
到目前为止我的istio代码段:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: allow-tls-renegotiation
spec:
workloadSelector:
labels:
istio: egressgateway
configPatches:
- applyTo: FILTER_CHAIN
match:
context: GATEWAY
listener:
filterChain:
sni: <domain>
patch:
operation: MERGE
value:
transport_socket:
name: tls
typed_config:
"@type": type.googleapis.com/envoy.api.v2.auth.UpstreamTlsContext
allow_renegotiation: true