CODEWITHSUNDEEP
istio
dploeger
dploeger

Reputation: 97

503 response when activating an MTLS policy

I'm fairly new to istio and try to setup mTLS in an istio mesh on my test cluster. I've setup a wordpress app using Helm (the release is called "exasperated-whippet") and am requesting the content from an alpine test pod using curl.

Without any mTLS setup, everything works.

When I create this destination rule:

apiVersion: "networking.istio.io/v1alpha3"
kind: "DestinationRule"
metadata:
  name: "exasperated-whippet-wordpress-mtls-dr"
spec:
  host: exasperated-whippet-wordpress
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL

the requests still reach the service okay and Kiali adds a lock-badge to the traffic which should denote the traffic as encrypted (right?).

However, once I add this policy as described in the Mutual TLS Migration documentation:

apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "exasperated-whippet-wordpress-mtls-policy"
spec:
  targets:
  - name: exasperated-whippet-wordpress
  peers:
  - mtls:
        mode: STRICT

the traffic crashes and I get 503 responses back.

Am I missing something here?

Upvotes: 0

Views: 596

Answers (1)

dploeger
dploeger

Reputation: 97

Just found the answer myself.

The error was because of Wordpress' readiness and liveness probes. After enabling the strict policies, their traffic wasn't rewritten by the sidecar container and that looked like mTLS wasn't working at all when just the backend failed as expected.

Enabling the probe rewrite features finally fixed it.

Upvotes: 1

Related Questions