-1

In my istio mesh I have configured mTLS, and I have some external-to-the-mesh and external-to-the-cluster services I am consuming: I can connect to them just fine by creating a trafficPolicy with TLS disabled, but no matter what I do I cannot get authn tls-check to be happy as it always displays CONFLICT with server in mTLS and client in HTTP.

From what I understand, the "server" in this case is external to the mesh, and I can't seem to create a policy that applies to it to tell istio that this server is not using mTLS (obviously, as it's outside the mesh): has anybody been able to set things up so that you have an external service to your mTLS mesh and auth tls-check displays OK with mTLS disabled for both server and client?

P Ekambaram
  • 15,499
  • 7
  • 34
  • 59
user10571476
  • 1
  • 1

1 Answers1

1

You should create a ServiceEntry for your external service with protocol http, and then you should be able to call it. You don't need to set a trafficPolicy.

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: external-svc-myservice
spec:
  hosts:
  - myservice.com
  location: MESH_EXTERNAL
  ports:
  - number: 80
    name: http
    protocol: HTTP
  resolution: DNS
Frank B
  • 900
  • 4
  • 12
  • Thanks for the answer, but as I was saying I can connect to it no problem configuring it as the documentation says, I am just trying to figure out if it’s possible to get istioctl authn tls-check to not print CONFLICT and for that I think you would need a policy wouldn’t you? – user10571476 Oct 29 '18 at 16:52
  • I don't think there is a conflict because mTLS is configured for "mesh internal" requests, and this is a "mesh external" service. So I think this may be a bug in istioctl. I would suggest opening an Istio issue. – Frank B Oct 29 '18 at 22:02