I am using istio 1.4.3, I have enabled meshwide mTLS and it works fine most of the times.
As per the below istio doc, when I try to list the certs used by envoy it always says no file or directory, but mTLS still works fine and Kiali shows my meshwide mTLS is enabled.
kubectl exec -it utility -n apps -c istio-proxy – ls /etc/certs
ls: cannot access ‘/etc/certs’: No such file or directory
I also have a destinationrule created in istio system namespace with the name default and *.local host to traffic policy ISTIO-MUTUAL, when we enable mesh level mTLS do we still need this destinationrule.
I frequently see pod to pod communications fails with the below error. I have not enabled istio_cni. This gets fixed if I restart the istio-pilot deployment. Getting this issue very frequently.
upstream_transport_failure_reason":"TLS error: 268435703:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER