A ns w/o sidecars affects one with: 400 Bad request for external http URL


istio 1.8.2; k8s 1.18.14 (AKS)

I’m not an expert, maybe someone can point me out in the right direction…

There is a namespace A with sidecar injection enabled;
There is another B without.

In namespace A there is an application that needs to query external elastic search cluster on port 9200.
In B, there is an installation of an ES, and it has 2 services on port 9200, one of them headless. Both expose port 9200 with name http.

When I curl in A my external url, I see headers from envoy. If I rename ports in services in B not to start with http, or change port, I don’t see those headers anymore.

Some java application queries that external ES, however, when the other namespace exposes port 9200 on some service with http, at some point I get HTTP/1.1 400 Bad request

When I curl to that url, it returns a value, and I see it is actually from the external service, as it should (regardless additional headers)

I tried to run tcpdump to look at http traffic on port 9200. When I curl, I see the request right away in tcpdump.

When the app starts, I got this error, I quit the app, and then only after 10-30 seconds, I see the filtered by tcpdump traffic.

In istio-proxy’s logs I can se “- - HTTP/1.1” 400 DPE “-” … request that corresponds to that error.

I’m not sure where to look more, was trying to set up external service, but no difference…

Thanks for any hint!

Any resolution for this issue? Iam also facing similar issue. Iam using istio 1.8.2