Accessing service using istio ingress gives 503 error when mTLS is enabled

Question

I have a mutual TLS enabled Istio mesh. My setup is as follows

1. A service running inside a pod (Service container + envoy)
2. An envoy gateway wh

Answer 1

The problem is probably as follows: istio-ingressgateway initiates mTLS to hr--gateway-service on port 80, but hr--gateway-service expects plain HTTP connections.

There are multiple solutions:

1. Define a DestinationRule to instruct clients to disable mTLS on calls to hr--gateway-service

   apiVersion: networking.istio.io/v1alpha3
   kind: DestinationRule
   metadata:
     name: hr--gateway-service-disable-mtls
   spec:
     host: hr--gateway-service.default.svc.cluster.local
     trafficPolicy:
       tls:
         mode: DISABLE

2. Instruct hr-gateway-service to accept mTLS connections. For that, configure the server TLS options on port 80 to be MUTUAL and to use Istio certificates and the private key. Specify serverCertificate, caCertificates and privateKey to be /etc/certs/cert-chain.pem, /etc/certs/root-cert.pem, /etc/certs/key.pem, respectively.