1

I have a java war file for which I have created an image. When I locally run the image it works fine over HTTP.

Now I am trying to run the containers using Kubernetes. I created a Kubernetes Service to expose the app Pod to the outside.

Below is my Kubernetes deployment.yaml. Not an expert in Docker and Kubernetes. Specially lost in the different metadata of Kubernetes services. Might have done some mistake there to expose HTTP and HTTPS both on 8080 and 443 respectively.

apiVersion: apps/v1
kind: Deployment
metadata:
  creationTimestamp: null
  labels:
    app: demo
  name: demo
spec:
  replicas: 1
  selector:
    matchLabels:
      app: demo
  strategy: {}
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: demo
    spec:
      containers:
      - image: <imagename1>
        name: cmisfileshare
        resources: {}
        imagePullPolicy: Always
status: {}
---
apiVersion: v1
kind: Service
metadata:
  creationTimestamp: null
  labels:
    app: demo
  name: demo
spec:
  ports:
  - name: http
    port: 8080
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 443
  selector:
    app: demo
  type: ClusterIP
status:
  loadBalancer: {}

Now when I run my application I get the following error in my browser

upstream connect error or disconnect/reset before headers. reset reason: connection failure

[UPDATE]

Then I expose the service by applying Kyma API Rules which internally create an Istio virtual service.

If I keep the service as following then it works:

    apiVersion: v1
kind: Service
metadata:
  creationTimestamp: null
  labels:
    app: demo
  name: demo
spec:
  ports:
  - name: 8080-8080
    port: 8080
    protocol: TCP
    targetPort: 8080
  selector:
    app: demo
  type: ClusterIP
status:
  loadBalancer: {}

Then the endpoint is exposed as HTTPS but the actual traffic from Istio/Envoy proxy to my app is still HTTP. Because in my code I fetch a java servlet request's protocol and it returns HTTP.

How do I enable TLS/HTTPS traffic from Istio to App?

Hector Martinez Rodriguez
  • 277
  • 4
  • 11
saurav
  • 5,388
  • 10
  • 56
  • 101
  • What URL are you trying to connect to from your browser? What port (or ports) is the application code listening on? – David Maze Jul 03 '21 at 13:29
  • App is deployed in SAP Kyma platform https://cmisfileshare.cba47a8.kyma-stage.shoot.live.k8s-hana.ondemand.com/....haven't specified any port details in the app – saurav Jul 03 '21 at 13:46
  • The application is being exposed as ClusterIP which means it is visible only inside the cluster (AKA from other containers running in the cluster) so, on its own, this configuration wouldn't expose the app to a browser. Is there additional configuration (like an Ingress) which you applied that exposes this particular service outside the cluster? – AndD Jul 03 '21 at 14:00
  • Yes...it is exposed as Kyma API Rules or internally it creates an Istio resource...i have updated my post please check – saurav Jul 04 '21 at 07:16
  • I think the issue is with the Istio policy which terminates TLS at the Envoy proxy – saurav Jul 05 '21 at 02:29
  • Please check if the solution provided [here](https://stackoverflow.com/questions/63408608/upstream-connect-error-or-disconnect-reset-before-headers-reset-reason-connect) works for you. – Hector Martinez Rodriguez May 30 '22 at 05:30
  • Was this issue resolved? If yes, what's the root cause and what's the solution? – Baolin Li Aug 07 '23 at 16:35

0 Answers0