Hello, I noticed Istio 1.6.6 is no longer working with the solution/workaround for enabling mTLS for pod to pod in-cluster comms by essentially defining a ServiceEntry for any pod services we want to enable mTLS for. The original solution for reference is here: [Question] Enable in-mesh pod to communicate with another in-mesh pod using PodIP (mTLS enabled)
I believe the change that broke this behavior is this:
AFAICT, the intent of this change was the fact that they cannot tell if the destination pod has sidecar injected or not. But in our case, the destination pod does have a side car and was relying on the auto mTLS that it has now disabled.
Has anyone else seen this?
istioctl proxy-config cluster output from Istio 1.6.5 (with mTLS working):
{
"name": "outbound|8080||test-server-6f5bc8bd5c-l7xbt",
"type": "ORIGINAL_DST",
"connectTimeout": "10s",
"lbPolicy": "CLUSTER_PROVIDED",
"circuitBreakers": {
"thresholds": [
{
"maxConnections": 4294967295,
"maxPendingRequests": 4294967295,
"maxRequests": 4294967295,
"maxRetries": 4294967295
}
]
},
"transportSocket": {
"name": "envoy.transport_sockets.tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.api.v2.auth.UpstreamTlsContext",
"commonTlsContext": {
"tlsCertificateSdsSecretConfigs": [
{
"name": "default",
"sdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"grpcServices": [
{
"envoyGrpc": {
"clusterName": "sds-grpc"
}
}
]
}
}
}
],
"combinedValidationContext": {
"defaultValidationContext": {},
"validationContextSdsSecretConfig": {
"name": "ROOTCA",
"sdsConfig": {
"apiConfigSource": {
"apiType": "GRPC",
"grpcServices": [
{
"envoyGrpc": {
"clusterName": "sds-grpc"
}
}
]
}
}
}
},
"alpnProtocols": [
"istio-peer-exchange",
"istio"
]
},
"sni": "outbound_.8080_._.test-server-6f5bc8bd5c-l7xbt"
}
},
"filters": [
{
"name": "istio.metadata_exchange",
"typedConfig": {
"@type": "type.googleapis.com/udpa.type.v1.TypedStruct",
"typeUrl": "type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange",
"value": {
"protocol": "istio-peer-exchange"
}
}
}
]
},
istioctl proxy-config cluster output from Istio 1.6.6 (mTLS no longer working):
{
"name": "outbound|8080||test-server-6f5bc8bd5c-w847r",
"type": "ORIGINAL_DST",
"connectTimeout": "10s",
"lbPolicy": "CLUSTER_PROVIDED",
"circuitBreakers": {
"thresholds": [
{
"maxConnections": 4294967295,
"maxPendingRequests": 4294967295,
"maxRequests": 4294967295,
"maxRetries": 4294967295
}
]
},
"filters": [
{
"name": "istio.metadata_exchange",
"typedConfig": {
"@type": "type.googleapis.com/udpa.type.v1.TypedStruct",
"typeUrl": "type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange",
"value": {
"protocol": "istio-peer-exchange"
}
}
}
]
},