401 unauthorized multilucluster replicated control plane

I followed the official doc to setup istio multicluster using replicated control plane…

When i curl, I get 401 unauthorized error:

$ kubectl exec --context=$CTX_CLUSTER1 $SLEEP_POD -n foo -c sleep – curl -I httpbin.bar.global:8000/headers
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:–:-- --:–:-- --:–:-- 0HTTP/1.1 401 Unauthorized
content-length: 27
content-type: text/plain
date: Mon, 17 Aug 2020 22:14:58 GMT
server: envoy
x-envoy-upstream-service-time: 5

0 27 0 0 0 0 0 0 --:–:-- --:–:-- --:–:-- 0

I checked the envoy proxy of httpbin in cluster 2, here’s the logs:

[Envoy (Epoch 0)] [2020-08-17 20:27:18.589][22][error][filter] [src/envoy/http/authn/authenticator_base.cc:73] [C34] trust domain validation failed: peer trust domain aks-clustera different from local trust domain aks-cluster-b
[Envoy (Epoch 0)] [2020-08-17 20:31:54.551][15][warning][config] [bazel-out/k8-opt/bin/external/envoy/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:91] gRPC config stream closed: 13,
[Envoy (Epoch 0)] [2020-08-17 20:43:36.583][22][error][filter] [src/envoy/http/authn/authenticator_base.cc:73] [C37] trust domain validation failed: peer trust domain aks-cluster-a different from local trust domain aks-cluster-b

I am using the same root certificate in the 2 clusters. What is happening?
Istio version: 1.5.6
Kubernetes: 1.16.10

Are you able to verify they are the same root/trust bundles in the proxy at runtime?

1 Like

I have set a custom trustDomain domain in the istioOperator spec. So for each cluster, the trustDomain name would be different. I see that there is an option to set skip trust domain validation for v1.3x, however, I do not see it for any other versions unless I am missing something?

Link: https://istio.io/v1.5/news/releases/1.3.x/announcing-1.3/upgrade-notes/#trust-domain-validation