How to use mTLS without using istio ingress and using azure app gateway ingress?

sardar

8/28/24, 11:13 AM

We have our application running in aks cluster and using cert-manager helm chart in separate namespace for lets encrypt certificate generation. argocd namespace is for handling deployments.

We need to enable mTLS, does that required istio to be labelled on argocd,cert-manager namespaces also?

And, we already have azure appgateway ingress to route traffic to the deployments running in our namespace, so didn’t enabled istio ingress.

Once I enabled strict option at global level, the routing is not working from azure app gateway ingress to our application.

kubectl apply -n istio-system -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
spec:
  mtls:
    mode: STRICT
EOF

And getting 502 bad gateway.

If I remove above peerauthentication or change that to PERMISSIVE. Then it is able to access page without 502 error.

What to do for this to implement strict mode but without istio ingress.

kubectl edit peerauthentication -n istio-system
peerauthentication.security.istio.io/default edited

0 + 0

aks

istio

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to use mTLS without using istio ingress and using azure app gateway ingress?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.