Currently, we are working on implementing a new GKE setup for our application. It includes GKE (1.16) with Workload Identity and Istio OSS (1.6.8). We are trying to apply STRICT mTLS policy. And it works fine for most microservices except few ones that are calling another one during startup. It receives TCP RST. And it receives due that fact, that it tries to connect without mTLS (plain-text http):
debug envoy connection [external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:226] [C77289] TLS error: 268435612:SSL routines:OPENSSL_internal:HTTP_REQUEST
I thought that we affected that bug: https://github.com/istio/istio/issues/11130, but… it’s not true, because I’m able to do the same call via curl successfully (for test purposes, I’ve added curl command prior to java -jar app.jar in entrypoint). Moreover, in case I’m disabling STRICT mTLS mode during startup and re-add it (STRICT policy) after successful application initialization - it able to make the same call to the same destination microservice, which is totally weird.
Both microservices are Java11 springoot… ReactorNetty/0.9.5.RELEASE is used for making call.
We have old cluster (GKE 1.14 without workload identity) and Istio 1.1.17 and here it works fine.
P.S. I’m struggling with this issue without any significant progress for the whole last week, so any ideas/advice are welcomed.