Closed sando38 closed 2 months ago
Are you using a waypoint here or just ztunnel?
Just ztunnel.
Ah, I just remember something, which I read somewhere, maybe slack:
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: "no-mtls-for-tls-passthrough"
namespace: ejabberd
spec:
mtls:
mode: STRICT
selector:
matchLabels:
app.kubernetes.io/name: ejabberd
portLevelMtls:
"5222": # plain TCP with StartTLS
mode: DISABLE
"5223": # TLS passthrough - directTLS
mode: DISABLE
With sidecar mode I needed to disable mTLS to make the proxyProtocol work. I think what I read was, that Ambient does not allow to disable mTLS, right?
Ztunnel does not read DestinationRule or support this configuration. Only AuthorizationPolicy and PeerAuthentication
Could you deploy a waypoint for your workload (or its namespace) to see if it works?
Thanks to both for the feedback. I was not aware, Likely, because not everything is yet documented, or I just have not seen it ;)
Sure, will deploy a waypoint and let you know. I suppose I find related documentation in istio.io?
btw, how did you "Today I switch from sidecar mode to ambient"? Did your ingress gateway HBONE enablement as well?
Sure, will deploy a waypoint and let you know. I suppose I find related documentation in istio.io?
Yes - the ambient get started doc shows you how. There is also an istioctl (x) waypoint cmd.
btw, how did you "Today I switch from sidecar mode to ambient"? Did your ingress gateway HBONE enablement as well?
Basically I checked this guide and saw that no special flag was used for the istio-ingressgateway, therefore, I did not change anything on my gateway config.
Here is what I did:
--set profile=ambient
(and CNI paths (https://github.com/istio/istio.io/pull/14826))--set profile=ambient
(I did/do not have any non-default configs running)istio-injection: enabled
to istio.io/dataplane-mode: ambient
Looking at your step, I think you'd need to restart your gateway (or deploy a new revision) to get HBONE enabled. Unless you created a new gateway deployment... @ilrudie @stevenctl thoughts?
I don't think this will work right now even with HBONE enabled.
okay, then I am waiting for your guys' go ;) Thanks nonetheless for the quick feedback.
🧭 This issue or pull request has been automatically marked as stale because it has not had activity from an Istio team member since 2024-04-03. It will be closed on 2024-07-17 unless an Istio team member takes action. Please see this wiki page for more information. Thank you for your contributions.
Created by the issue and PR lifecycle manager.
Is this the right place to submit this?
Bug Description
Today I switch from sidecar mode to ambient. Actually it was a smooth transfer, however, one thing does not want to work. I run a XMPP server (TCP/TLS connections, no HTTP) behind an istio-ingressgateway and I use a destinationRule to send the proxyProtocol header upstream to the XMPP server:
The XMPP server complains, that the proxy protocol header cannot be parsed. When I removed the
proxyProtocol
section in the destinationRule, all runs fine (of course I do not see the actual client public IP address)Version
Additional Information
bug-report.tar.gz
Just let me know, if I can help anywhere with further information!