i’m trying to understand when communication between microservices pass through the Envoy and when it isnt. i assumed once sidecar injected all communication between service A to service B is basically:
serviceA --> SideCarA --> SideCarB --> Service B.
i’ve started to doubt it due to the following scenario:
i have two services, A and B which includes the following endpoints:
- service A includes /headers endpoint that just print request headers
- service B includes /headers endpoint that just print request headers
and also / endpoint that reach to serviceA/headers endpoint and print the response headers.
now, from an helper pod (sleep) i’m doing the following:
- curl http://serviceb:8080/headers i get response and also see the X-Forwaarded-Client-Cert which indicate the communication here is mTLs and through envoys.
- curl http://servicea:8080/headers same thing. got mTLs through envoys
- curl http://serviceb:8080/ prints the headers and does not includes the X-Forwarded-Client-Cert.
why? i’m not sure i understand why flow from B to A isnt also through Envoys.
why i’m trying to understand this usecase?
cause once i’m applying the following:
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: jwt-required namespace: default spec: rules: - from: - source: requestPrincipals: ["*"] - source: namespaces: ["default"]
i expected to be able to use curl with valid JWT token (using requestauth) but also to be able to allow services communicates with each other.
i do able to do the curl thing, but once code includes http to other service i get the rbac.
why it is different? and sorry if its pretty basic question