Default mTLS between canary installs

Hello, I’m looking for some help confirming default mTLS behaviour and canary installs. I have a 1.9 revision control plane running alongside a 1.10 revision control plane. Once STRICT enforcement is applied to a namespace via a peerauthentication, pods will only accept traffic from other pods with sidecars which are members of the same mesh/control plane. Traffic from the sidecars which are members of the canary control plane is dropped and vice versa. As istiod handles certificate signing, I assume this is because the pods are under the control of different istiod revisions which generate their own intermediate, even though the same istio-ca-secret is used by both?

This seems strange, they should be able to talk with each other if you are using the istio self-signed root cert. what is the error message or log in the envoy? is it related to TLS handshake failure?

1 Like

Hmm, thanks very much for your reply. I seem to have missed something because I can’t now reproduce. I’ve been testing some upgrade scenarios so may have inadvertently tested from a namespace that I’d dropped from the mesh. In any case, I think this is my error so apologies