-
Notifications
You must be signed in to change notification settings - Fork 11
Envoy Adapter cannot work with strict Istio mTLS
Scott Ganyo edited this page Jan 14, 2021
·
1 revision
In an Istio service mesh where mTLS is enabled and set to STRICT, the Envoy Adapter must not be injected with an Istio sidecar.
Explanation:
The EnvoyFilter CR is used to configure the ext_authz Envoy filter via xDS. However, because the address of the Envoy Adapter Service is not static, a dynamic Envoy cluster with proper TLS configuration cannot be defined. Instead, we configure the Envoy filter using a google_grpc address (see: https://github.com/apigee/apigee-remote-service-cli/blob/60dc389aa49864cd8c71573e6b93218684b1ab3e/templates/istio-1.7/envoyfilter-sidecar.yaml#L36).
That said, if either the mTLS of the workload sidecars or Envoy Adapter sidecar is set to PERMISSIVE, the connection will be allowed.