Open
Description
When creating a TemporalCluster resource with MTLS.provider: istio, this creates PeerAuthentication resources with the mutual TLS set to STRICT mode, as expected.
There is an issue if the metrics collector isn't itself using Istio, and therefore doesn't (automatically) have mTLS enabled when it connects to the metrics port. These requests will then fail.
In our case, this happens because we're using the DataDog agent in hostNetwork: true mode, in which case Istio sidecars are not automatically injected into the pod.
It would be handy if we could create an exception for the metrics port. Say for example,
mTLS:
provider: istio
permissiveMetrics: true # Allow non-TLS requests to the metrics port
refreshInterval: 1h0m0s
which would add the following to the PeerAuthentication resource created by the operator:
portLevelMtls:
9090:
mode: PERMISSIVE
Metadata
Metadata
Assignees
Labels
No labels