Search code examples
kubernetesistio

How to disable mtls on Instio?

I have a problem with connecting two services on Kubernetes with Istio. My service makes POST requests to the elasticsearch.

2020-11-18T21:51:53.758079131Z org.elasticsearch.client.ResponseException: method [POST], host [http://elasticsearch:9200], URI [/_bulk?timeout=1m], status line [HTTP/1.1 503 Service Unavailable]
2020-11-18T21:51:53.758087238Z upstream connect error or disconnect/reset before headers. reset reason: connection failure

I read some questions/GitHub issues about that and one of the possible reasons could be mtls, so how can I disable it?

I was trying with this:

apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
  name: "default"
  namespace: "istio-system"
spec:
  mtls:
    mode: DISABLE

But with this PeerAuthentication, I'm not able to reach even my service. Do you have any advice?

Solution

  • Disable mtls

    This PeerAuthentication is the correct way to disable mtls.

    apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
  name: "default"
  namespace: "istio-system"
spec:
  mtls:
    mode: DISABLE

    There is istio documentation about that.

    Elasticsearch issue

    According to istio documentation:

    There are two Elasticsearch configuration parameters that need to be set appropriately to run Elasticsearch with Istio: network.bind_host and network.publish_host. By default, these parameters are set to the network.host parameter. If network.host is set to 0.0.0.0, Elasticsearch will most likely pick up the pod IP as the publishing address and no further configuration will be needed.

    If the default configuration does not work, you can set the network.bind_host to 0.0.0.0 or localhost (127.0.0.1) and network.publish_host to the pod IP. For example:

    ...
containers:
- name: elasticsearch
  image: docker.elastic.co/elasticsearch/elasticsearch:7.2.0
  env:
    - name: network.bind_host
      value: 127.0.0.1
    - name: network.publish_host
      valueFrom:
        fieldRef:
          fieldPath: status.podIP
   ...

    Refer to Network Settings for Elasticsearch for more information.

    If that won't work there are two github issues:

    which suggest to use

    annotations:
  traffic.sidecar.istio.io/excludeOutboundPorts: "" 
  traffic.sidecar.istio.io/excludeInboundPorts: ""

    There is elasticsearch documentation about that.