[SOLVED] Issues with istio-proxy to apps communication while using STRICT peerauthentication with MUTUAL

Issues with istio-proxy to apps communication while using STRICT peerauthentication with MUTUAL_TLS destinationrule

I am using STRICT peerauthetication model for ALL Pods in my default namespace. Also, ISTIO_MUTUAL destinationRule is ON for default namespace pods.

When peerauthentication is PERMISSIVE, curl from host VM to zookeeper is:

user@host:~$ curl -k -v -L 10.103.19.172:2181

Trying 10.103.19.172:2181...
TCP_NODELAY set
Connected to 10.103.19.172 (10.103.19.172) port 2181 (#0)

GET / HTTP/1.1 Host: 10.103.19.172:2181 User-Agent: curl/7.68.0 Accept: /

Empty reply from server
Connection #0 to host 10.103.19.172 left intact curl: (52) Empty reply from server user@host:~$

(Same happens fro kafka to zookeeper)- all good.

When it is STRICT:

user@host:~$ curl -k -v -L 10.103.19.172:2181

Trying 10.103.19.172:2181...
TCP_NODELAY set
Connected to 10.103.19.172 (10.103.19.172) port 2181 (#0)

GET / HTTP/1.1 Host: 10.103.19.172:2181 User-Agent: curl/7.68.0 Accept: /

Recv failure: Connection reset by peer
Closing connection 0 curl: (56) Recv failure: Connection reset by peer user@host:~$

Solution

Fixed it. See the question I posted at https://istio.slack.com/archives/C37A4KAAD/p1743157328271189

--set values.pilot.env.ENABLE_NATIVE_SIDECARS=true fixes it.

SO my istioctl command was:

istioctl install \
  --set meshConfig.defaultConfig.holdApplicationUntilProxyStarts=true \
  --set meshConfig.defaultConfig.proxyMetadata.REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION=true \
  --set meshConfig.defaultConfig.proxyMetadata.ISTIO_META_REWRITE_APP_HTTP_PROBERS=true \
  --set components.cni.enabled=true \
  --set values.pilot.env.ENABLE_NATIVE_SIDECARS=true \
  --set values.pilot.env.ENABLE_TLS_ON_SIDECAR_INGRESS=true