A ns w/o sidecars affects one with: 400 Bad request for external http URL

Hello,

istio 1.8.2; k8s 1.18.14 (AKS)

I’m not an expert, maybe someone can point me out in the right direction…

There is a namespace A with sidecar injection enabled;
There is another B without.

In namespace A there is an application that needs to query external elastic search cluster on port 9200.
In B, there is an installation of an ES, and it has 2 services on port 9200, one of them headless. Both expose port 9200 with name http.

When I curl in A my external url, I see headers from envoy. If I rename ports in services in B not to start with http, or change port, I don’t see those headers anymore.

Some java application queries that external ES, however, when the other namespace exposes port 9200 on some service with http, at some point I get HTTP/1.1 400 Bad request

When I curl to that url, it returns a value, and I see it is actually from the external service, as it should (regardless additional headers)

I tried to run tcpdump to look at http traffic on port 9200. When I curl, I see the request right away in tcpdump.

When the app starts, I got this error, I quit the app, and then only after 10-30 seconds, I see the filtered by tcpdump traffic.

In istio-proxy’s logs I can se “- - HTTP/1.1” 400 DPE “-” … request that corresponds to that error.

I’m not sure where to look more, was trying to set up external service, but no difference…

Thanks for any hint!