-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support PeerAuthentication.MutualTLS.Mode Strict for RMI connections #51658
Comments
Or perhaps put another way, Istio's Auto mTLS does not seem to be getting applied to RMI connections... |
IIUC RMI uses tcp and/or http so it should have auto mTLS applied. Are both Java applications in the mesh? |
Yes, RMI uses TCP and both Java applications are in the mesh. |
What address are you using for RMI: a pod ip or a service ip? |
Service IP. |
Hmmm I'm not super familiar with Java and RMI; does this issue help? #15293 |
We can look at that issue again. But... RMI does work if we set PeerAuthentication.MutualTLS.Mode to Permissive/Disable. |
/cc @ramaraochavali @howardjohn any ideas here? Only thing I can thing of is that RMI doesn't like auto tls |
Not really, this needs more info on what it means to be "blocked". Access logs, etc Probably it is sending to specific pod IPs instead of service VIPs |
So... sorry for the noise here, but it turns out there was a port misconfiguration underlying our issues. Yes, RMI works fine with Istio mTLS -- as expected. |
Closing this issue as per my previous comment. |
Is this the right place to submit this?
Bug Description
Our RMI connections are blocked unless we use PeerAuthentication.MutualTLS.Mode Permissive/Disabled.
We want the service mesh to handle MTLS here, so we don't have to do so ourselves -- inclusive of RMI.
Version
Additional Information
No response
The text was updated successfully, but these errors were encountered: