(strict) mTLS not working

[maxbischoff]

I used your redis-cluster configuration as basis for deploying an istio-injected redis-cluster in our istio setup. Since we have defined STRICT mTLS it initially didn't work. The issue can be solved by deploying a headless service. This causes envoy to create listeners for the redi-cluster Pod IPs and mTLS to work:

Headless service:

apiVersion: v1
kind: Service
metadata:
  name: redis-cluster-headless
spec:
  type: ClusterIP
  clusterIP: None
  ports:
  - port: 6379
    targetPort: 6379
    name: tcp-client
  - port: 16379
    targetPort: 16379
    name: tcp-gossip
  selector:
    app: redis-cluster

created listeners

100.67.182.48  16379 ALL                                                                      Cluster: outbound|16379||redis-cluster-headless.default.svc.cluster.local
100.67.182.5   16379 ALL                                                                      Cluster: outbound|16379||redis-cluster-headless.default.svc.cluster.local
100.69.86.254  16379 ALL                                                                      Cluster: outbound|16379||redis-cluster-headless.default.svc.cluster.local
100.70.61.172  16379 ALL                                                                      Cluster: outbound|16379||redis-cluster-headless.default.svc.cluster.local
100.70.61.177  16379 ALL                                                                      Cluster: outbound|16379||redis-cluster-headless.default.svc.cluster.local
100.72.193.249 16379 ALL                                                                      Cluster: outbound|16379||redis-cluster.default.svc.cluster.local

[zhaohuabing]

@maxbischoff thanks for fixing this issue. You may want to checkout Aeraki, which can automatically create the envofilter for Redis cluster.

Here is an example: https://github.com/aeraki-framework/aeraki/tree/master/test/e2e/redis