Uploaded image for project: 'Maistra'
  1. Maistra
  2. MAISTRA-2026

ServiceMeshExtensions don't work when dataplane mTLS is enabled

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • maistra-2.0.1
    • maistra-2.0.0
    • None
    • None
    • MAISTRA 2.0.1

    Description

      Workload pods cannot fetch the wasm modules because of missing Istio config. The default default DestinationRule we're creating (when security.dataplane.mtls == true) forces all traffic to be mTLS-encrypted - however, our cache is not running a sidecar and only supports plaintext traffic at the moment. The solution is to add a DestinationRule for the cache that sets the tls.mode to DISABLE

      See https://chat.google.com/room/AAAApkJHr5k/7xwzFk4QD2s for context

      Error looks like this:

      2020-12-02T14:22:39.999550Z	warning	envoy wasm	[external/envoy/source/extensions/common/wasm/wasm.cc:654] createWasm: failed to load (cached) from http://wasm-cacher-minimal.cp1.svc.cluster.local/3d4839ad-0f70-40c8-a6b5-a6736dfa0486
2020-12-02T14:22:40.000333Z	warning	envoy config	[external/envoy/source/common/config/grpc_subscription_impl.cc:101] gRPC config for type.googleapis.com/envoy.api.v2.Listener rejected: Error adding/updating listener(s) virtualInbound: Failed to load WASM code (cached) from http://wasm-cacher-minimal.cp1.svc.cluster.local/3d4839ad-0f70-40c8-a6b5-a6736dfa0486

      Attachments

        Activity

          People

            rh-ee-gbaufake Guilherme Baufaker Rego
            dgrimm@redhat.com Daniel Grimm
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: