Brief
Currently I have a service which receives webhook notifications on k8s operations via k8s mutating webhooks. However, when mtls is switched on, the service cannot receive requests. I understand that “istio-service” cannot receive requests from “non-istio-service” where kube-api cannot connect to my service. Is there a way to turn mtls off for receiving requests on specific ports? Or any workarounds? Thank you!
Here’s is my repo for reference
https://github.com/isaiahwong/gateway-go
Kindly ignore the README.me
My config for mutating webhook
The cert is a self-signed cert.
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
name: gateway-webhook
namespace: default
webhooks:
- name: gateway-service.default.svc
clientConfig:
service:
name: gateway-service
namespace: default
path: '/webhook'
caBundle: <YOUR_CA_BUNDLE>
rules:
- operations: ['*']
apiGroups: ['*']
apiVersions: ['*']
resources: ['services']
Pod listening via TLS
// Start webhook server
if err := ws.Server.ListenAndServeTLS(config.WebhookCertDir, config.WebhookKeyDir); err != nil && err != http.ErrServerClosed {
logger.Fatalf("Webhook server: %s\n", err)
}