I am new with Kubernetes and need some help.
I am running an Istio mesh where all my services are using mtls. These are grpc service. Here is my PeerAuthentication inside the namespace:
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: "default"
namespace: db1
spec:
mtls:
mode: STRICT
Here are my services:
➜ ~ kubectl -n db1 get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
db1 ClusterIP 10.100.114.234 <none> 19530/TCP,9091/TCP 62m
My pods inside the mesh are running fine and can talk. I want a Haproxy which is in different namespace and outside the mesh to talk with my db1 service.
As the db1 is a grpc service, I have this Haproxy config:
global
log stdout format raw local0 info
maxconn 1024
defaults
log global
mode http
timeout client 60s
timeout connect 60s
timeout server 60s
frontend fe_main
bind *:19530 proto h2
mode http
http-request capture req.hdr(Host) len 100
default_backend be_db1
backend be_db1
mode http
server-template db1-milvus 1 db1.db1.svc.cluster.local:19530 check proto h2 ssl verify none crt /etc/certs/shared/db1_haproxy_certs.pem
I don't see any request is going to my db1 service from the Haproxy. However, if I disable MTLs inside the Istio mesh and remove the ssl crt part in Haproxy, I do see successful connection.
What am I missing in my Haproxy ssl config? Please advice.
Thanks.
The FAQ here covers your question. Basically, you can't have STRICT mTLS enabled as the non-mesh workloads won't have a valid Istio workload certificate.
One of the solutions is to enable PERMISSIVE mode in this case.