I have a Service A(Frontend) taking to Service B(Backend). Service B has Policy and Destinationrule. Policy mode is PERMISSIVE and Destinationrule mode is MUTUAL. When service A sends the request through its sidecar, getting following error,
“upstream connect error or disconnect/reset before headers. reset reason: connection failure”
Looking at the inbound config of istio-proxy of Service B, two filter chains are getting added, one with match application_protocol: istio and tls configs to terminate, second is for plain text. I suspect Service A sidecar doesnt add “application_protocol: istio” , second filter chain matched which doesn’t have TLS context to terminate and failing.
Following Scenarios works,
Service A(policy mode, DR mode) ==> Service B(Policy mode, DR mode)
no policy, DR ==> STRICT, Mutual
PERMISSIVE,MUTUAL . ==> STRICT, Mutual
We use Custom CA, not Citadel.
Please let me if i am missing something…