Hello,
I’ve Istio 1.4.0 running on Kubernetes 1.15.9. I’m trying to achieve below but the more I read Istio documentation the more I’m getting confused. Let me put it in a simple way.
First thing is, I want to have mTLS for maximum services (if possible).
I’ve one elasticsearch-master pod with service exposed on 9300 . I’ve one elasticsearch-data pod with service exposed on 9200 and 9300 . When I’ve Istio’s default Automatic mTLS enabled, both of these pods work nice and a helathy ES cluster starts up. I think that’s because ES master and data nodes communicate over port 9300 . Also, I don’t want to access any of these ES pods from outside of K8S cluster.
Now, I want to start one Kibana pod with service exposed on 5601 . When I start Kibana pod with Istio’s default Automatic mTLS enabled, it fails to start. Because it can’t connect to elasticsearch-data service on 9200 . I’m getting all kinds of SSL errors (may be because of whole mTLS thing?). I don’t know if it’s even possible to have this connection with this whole Istio’s Automatic mTLS enabled. Also, I want to access this Kibana from outside of K8S cluster.
Appreciate your help.
Thanks.
- Ajit