Hi,
I am using AWS EKS 1.17 and ISTIO 1.6.5 (I also verified same error with istio 1.6.8). I also got same error with KIND cluster on my laptop ( Kubernetes 1.17 )
So after deployment my service works fine and after some time i get
upstream connect error or disconnect/reset before headers
errors. What I have realized that from a working state to non-working state (also vice versa ) I get this log lines:
2020-09-03T16:37:47.226983Z warning envoy config [bazel-out/k8-opt/bin/external/envoy/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:92] StreamAggregatedResources gRPC config stream closed: 13,
2020-09-03T16:37:47.289783Z warning envoy filter [src/envoy/http/authn/http_filter_factory.cc:83] mTLS PERMISSIVE mode is used, connection can be either plaintext or TLS, and client cert can be omitted. Please consider to upgrade to mTLS STRICT mode for more secure configuration that only allows TLS connection with client cert. See https://istio.io/docs/tasks/security/mtls-migration/
2020-09-03T16:37:47.291518Z warning envoy filter [src/envoy/http/authn/http_filter_factory.cc:83] mTLS PERMISSIVE mode is used, connection can be either plaintext or TLS, and client cert can be omitted. Please consider to upgrade to mTLS STRICT mode for more secure configuration that only allows TLS connection with client cert. See https://istio.io/docs/tasks/security/mtls-migration/
2020-09-03T16:37:47.298553Z warning envoy filter [src/envoy/http/authn/http_filter_factory.cc:83] mTLS PERMISSIVE mode is used, connection can be either plaintext or TLS, and client cert can be omitted. Please consider to upgrade to mTLS STRICT mode for more secure configuration that only allows TLS connection with client cert. See https://istio.io/docs/tasks/security/mtls-migration/
2020-09-03T16:37:47.302983Z warning envoy filter [src/envoy/http/authn/http_filter_factory.cc:83] mTLS PERMISSIVE mode is used, connection can be either plaintext or TLS, and client cert can be omitted. Please consider to upgrade to mTLS STRICT mode for more secure configuration that only allows TLS connection with client cert. See https://istio.io/docs/tasks/security/mtls-migration/
The service becomes UNAVAILABLE for EXACTLY 30 minutes after i see above lines and becomes available again AFTER I see this error (So 30 min EXACTLY down time)
Any comment about this? I saw this on different Istio versions but it never got resolved fully (so even 1.6.8/1.6.5 has it)