-
Bug
-
Resolution: Won't Do
-
Minor
-
None
-
None
-
None
-
False
-
None
-
False
When setting mTLS to true as:
security:
dataPlane:
mtls: true
ServiceMesh deploys destinationrules for *.local as:
$ oc get destinationrules.networking.istio.io -n istio-system default NAME HOST AGE default *.local 22m
I guess this destinationrule was necessary when automatic mTLS was not supported but the automatic mTLS is enabled by default on the current version.
The docs mentions about the automatic mTLS but automatic mTLS is enabled by default on Istio 1.5 (so old!):
| If you are not using automatic mTLS and you are setting PeerAuthentication to STRICT, you must create a DestinationRule resource for your service. |
Upstream enables mTLS STRICT mode by deploying PeerAuthentication in system namespace. (I think ServiceMesh also support it.)
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: istio-system # istio system namespace.
spec:
mtls:
mode: STRICT
So the ServiceMesh's destinationrule makes different behavior from upstream's. I would like ServiceMesh not to deploy the extra DestinationRules.
- blocks
-
-
- Closed
-
- causes
-
-
- Closed
-
- is documented by
-
SRVKS-941 [DOC] Document DomainMapping with net-istio
-
- Closed
-
- is related to
-
-
- Closed
-