istio 1.8.2; k8s 1.18.14 (AKS)
I’m not an expert, maybe someone can point me out in the right direction…
There is a namespace A with sidecar injection enabled;
There is another B without.
In namespace A there is an application that needs to query external elastic search cluster on port 9200.
In B, there is an installation of an ES, and it has 2 services on port 9200, one of them headless. Both expose port 9200 with name http.
When I curl in A my external url, I see headers from envoy. If I rename ports in services in B not to start with http, or change port, I don’t see those headers anymore.
Some java application queries that external ES, however, when the other namespace exposes port 9200 on some service with http, at some point I get HTTP/1.1 400 Bad request
When I curl to that url, it returns a value, and I see it is actually from the external service, as it should (regardless additional headers)
I tried to run tcpdump to look at http traffic on port 9200. When I curl, I see the request right away in tcpdump.
When the app starts, I got this error, I quit the app, and then only after 10-30 seconds, I see the filtered by tcpdump traffic.
In istio-proxy’s logs I can se “- - HTTP/1.1” 400 DPE “-” … request that corresponds to that error.
I’m not sure where to look more, was trying to set up external service, but no difference…
Thanks for any hint!