Uploaded image for project: 'OpenShift Service Mesh'
  1. OpenShift Service Mesh
  2. OSSM-1047

Default destinationRule, when mtls is enabled, sets "spec.host" to *.local

    XMLWordPrintable

Details

    • False
    • False
    • Compatibility/Configuration, User Experience

    Description

      When enabling mTLS for the mesh the default destination rule is created with "spec.host: *.local" which may conflict when main domain of the cluster also uses .local as root domain, like for example - ocp4.example.local - which a lot of customers use for private OCP clusters.
      Since the main purpose here is to enable mTLS between mesh workloads I think it would be better to change the template that the operator uses to create the destinationRule:

      spec:
      host: "*.{{ .Values.global.proxy.clusterDomain }} – > perhaps like this so if not configured by default we'd get *.cluster.local?
      {{- if .Values.global.defaultConfigVisibilitySettings }}
      exportTo:

      • '*'
        {{- end }}
        trafficPolicy:
        tls:
        mode: ISTIO_MUTUAL

      https://github.com/maistra/istio-operator/blob/72821e667f7010712a58973c7e40d35bf2c5967f/resources/helm/v2.1/mesh-config/templates/enable-mesh-mtls.yaml#L32

      Attachments

        Activity

          People

            Unassigned Unassigned
            rhn-support-andcosta Andre Costa
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: