Hello. My team has three different environments which all have their own service mesh. We have one service which is bound to port 443 which we do not want to run Istio mTLS on (long story but it performs mTLS at the application level). Let’s say this service is named
We have defined the following PeerAuthentication rule and DestinationRule.
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: labels: ... name: ... namespace: ... spec: portLevelMtls: "443": mode: DISABLE selector: matchLabels: ...
apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: labels: ... name: ... namespace: ... spec: host: target.<namespace>.svc.cluster.local trafficPolicy: portLevelSettings: - port: number: 443 tls: mode: DISABLE
This has been working on all of our environments until recently. This no longer seems to work on our development environment and I am trying to understand why. I have used
openssl to debug the issue and I have confirmed that the
PeerAuthentication rule is not in effect since the client does not try to perform mTLS. When I try to reach the target service from the client, I will see the Istio signed certificate being presented by the target service.
In previous versions of Istio there was a useful istioctl command to check the effective TLS mode between client and server but that appears to be gone. I have looked into the proxy config as well but the output is enormous and difficult to grok.
What would be the best way to debug why this PeerAuthentication rule doesn’t seem to be working?