Hey guys,
I have MTLS globally enabled, and a headless service where I’d like only one port to use MTLS.
I have difficulty setting up the configuration. I then tried to disable completely MTLS on my headless service as a first step but it does not work. Anyone can help understanding what’s going on ?
Here is my configuration in the namespace where I have my headless service with a statefulset :
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
name: "default"
namespace: "cassandra-e2e"
spec:
peers:
- mtls:
mode: PERMISSIVE
---
apiVersion: "networking.istio.io/v1alpha3"
kind: "DestinationRule"
metadata:
name: "tls-only-native-port"
namespace: "cassandra-e2e"
spec:
host: "*.cassandra-e2e.svc.cluster.local"
trafficPolicy:
tls:
mode: DISABLE
The issue is between 2 nodes of the headless service that can’t communicate with each other. I would expect the destination rule to be applied to all pods, even pods belonging to the service. Am I wrong ?
Thank you