-
Bug
-
Resolution: Won't Do
-
Undefined
-
None
-
1.23.0, 1.24.0, 1.25.0, 1.26.0, 1.27.0
-
None
-
None
-
False
-
None
-
False
When creating DomainMapping with net-istio & mTLS, the access against the URL gets following error:
$ curl -k https://b-y-o-certificate-vqgmxhng.foo.itsm-1-24-4.ci-psi.rhocf-dev.net
upstream connect error or disconnect/reset before headers. reset reason: connection failure, transport failure reason: TLS error: 336130315:SSL routines:ssl3_get_record:wrong version number
The issue happens only when we configure mTLS (STRICT mode) on SMCP as:
security:
dataPlane:
mtls: true
The issue does not happen when we configure mTLS (STRICT mode) via PeerAuthentication as below (this is upstrem's way).
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: istio-system # namespace where you deployed smcp.
spec:
mtls:
mode: STRICT
The culprit is destinationrules deployed in istio-system namespace.
$ oc get destinationrules.networking.istio.io -n istio-system default NAME HOST AGE default *.local 22m
DomainMapping spoofs the ksvc's host and the destinationrules wrongly(I think) forces the mTLS to the spoofed service.
