I'm curious if anyone has successfully configured end-to-end (E2E) encryption using an Istio Gateway on AWS. Specifically, I'm using an ACM certificate on the Network Load Balancer (NLB) and a self-signed certificate on the Istio Gateway. However, I keep encountering 'Empty Reply From Server' errors. To give you some context, terminating SSL on the NLB and then sending plain text to the Gateway works fine. I also tried TCP passthrough from the NLB to the Gateway, but the browser presents the self-signed certificate at the Gateway, which isn't ideal. Any advice or guidance would be appreciated!
4 Answers
I manage a wildcard certificate on a shared gateway per cluster, and I don’t hit any rate limits with cert-manager. You can also ask for rate limit increases if needed. I faced some challenges with proxy mode and the number of hops in a gateway API with NLB, but I can share my configuration with you if that helps!
If possible, I'd recommend using cert-manager to generate a Let's Encrypt certificate and terminating TLS at the Gateway instead of the NLB. However, at my workplace, we aren't allowed to use Let's Encrypt, so I have a similar setup to yours with the ACM certificate on the NLB and a self-signed one on the Gateway. Happy to assist further if you need! I've been using Istio for about five years now.
I use an ACM certificate directly on the Istio Gateway and don’t decrypt on the NLB at all. Have you tried accessing each component directly? Also, why opt for a self-signed certificate in the first place?
Honestly, I chose a self-signed certificate because it's straightforward and has less operational overhead. My goal is just to get everything working smoothly before refining it. I was hesitant to use Let's Encrypt due to potential rate limits when scaling up.
I’m not too familiar with AWS, but if I understand correctly, the NLB is a Layer 4 (L4) load balancer. If you’re using a self-signed certificate on your ingress, the NLB must trust that certificate's issuer, or you might run into errors when trying to connect.
It’s an L4 load balancer, so your assumption is on point! That's helpful to consider.
I might get in trouble for suggesting a wildcard cert, though! Still, I appreciate the offer!