In MAISTRA-1972, we disabled protocol sniffing by default and even extended the validatingwebhook to not allow re-enabling it. This was due to security concerns about the implementation present in OSSM 2.0/Istio 1.5. I cannot find any more documentation about our concerns, but as upstream has been running with this feature enabled by default for ages, and customers are asking for it, we should at least allow enabling it. The default will stay disabled for now.

The fields in SMCP look like this:

spec: 
  proxy: 
    networking: 
      protocol: 
        autoDetect: 
          # maps to PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND
          inbound: true
          # maps to PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND
          outbound: true
          # maps to protocolDetectionTimeout in meshConfig
          timeout: 500ms

Acceptance Criteria:

• Remove the validation that blocks usage of the fields in spec.proxy.networking.protocol.autoDetect
• Add documentation
• Add a release note

Original description:

Since istio 1.6, this feature was enabled by default.

https://istio.io/v1.6/docs/ops/configuration/traffic-management/protocol-selection/ 

However, our OSSM seems still keeping the old config from istio 1.4

 

{{$ oc get deployment istiod-basic -o yaml -n istio-system | grep SNIFF -A1

• name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND
  value: "false"
• name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND
  value: "false"}}

And these two environment variables only exists in istiod's deployment.

We should be able to configure them via SMCP

 

Related case - https://access.redhat.com/support/cases/#/case/03339815