We have our application running in aks cluster and using cert-manager helm chart in separate namespace for lets encrypt certificate generation. argocd namespace is for handling deployments.
We need to enable mTLS, does that required istio to be labelled on argocd,cert-manager namespaces also?
And, we already have azure appgateway ingress to route traffic to the deployments running in our namespace, so didn’t enabled istio ingress.
Once I enabled strict option at global level, the routing is not working from azure app gateway ingress to our application.
kubectl apply -n istio-system -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
spec:
mtls:
mode: STRICT
EOF
And getting 502 bad gateway.
If I remove above peerauthentication or change that to PERMISSIVE.
Then it is able to access page without 502 error.
What to do for this to implement strict mode but without istio ingress.
kubectl edit peerauthentication -n istio-system
peerauthentication.security.istio.io/default edited
Enabling STRICT mTLS mode tells the Istio sidecar proxies protecting your application pods to reject all traffic which is not part of the mesh. Traffic coming from Azure app gateway ingress is not part of the mesh. You cannot use STRICT mTLS mode with a non Istio ingress controller, in order to enable Istio mTLS STRICT mode, you must also use the Istio ingress controller.
So what are the options available for that?
But, why made gateway optional then.
I tried routing traffic to istio-gateway from azure app gateway ingress and use from that, but not working.
azure app gateway → istio ingress gateway → services in mesh
why made gateway optional then.
Gateways are optional to support as many use cases as possible, example maybe some Istio users may only wish to use in-cluster (pod-to-pod) features of the service mesh.
azure app gateway → istio ingress gateway → services in mesh
This should be possible, for example this can be done on AWS with an ALB. If it’s not working on AKS you may need to get some more details from your cloud provider about how to integrate.
(pod-to-pod)
We thought to have this only.
Pod to pod mtls.
But it is restricting external traffic right?
If we just set to permissive, then it will allow all traffic and no use of enabling TLS also as it allows all traffic.
Pod to pod mtls. But it is restricting external traffic right?
In STRICT mode that’s right!
If we just set to permissive, then it will allow all traffic
Also right!
no use of enabling TLS also as it allows all traffic.
That’s why I suggest try to make this configuration work.
azure app gateway → istio ingress gateway → services in mesh
It should work. Istio ingress gateway’s job is to turn external (non-mesh) traffic into mesh traffic. So when mTLS is in STRICT mode it will be impossible for azure app gateway → services in mesh. The only way to access will be to go through the ingress gateway.
Azure app gateway ingress, not able to set to service(istio-gateway) as it is in another namespace.
Tried using full DNS name but it is giving syntax error.
Yeah sounds like you’ll need to investigate this from an Azure standpoint. Azure app gateway should be able to talk to services in other namespaces. You may want to raise a support case with your Azure support folks.