This page will track all the issues and workaround or solutions to address them when Istio is deployed in ONAP with mTLS enabled.
Pod Name | Issue | Workaround | Comments | |
---|---|---|---|---|
1 | message-router-kafka | Unable to connect to zookeeper |
Istio seems to have issues with headless services
[2018-08-07 17:21:49,855] INFO Opening socket connection to server 10.42.2.218/10.42.2.218:2181. Will not attempt to authenticate using SASL (unknown error) (org.apache.zookeeper.ClientCnxn) This issue occurs both with mTLS enabled and when mTLS is disabled. | ||||
2 | message-router | message-router-kafka is not ready | Depends on 1 | |
3 | sdnc-dmaap-listener | message-router is not ready | Depends on 2 | |
4 | Http liveness probe | Mutual TLS can't work with K8S http/tcp liveness probe |
| If mutual TLS is enabled, http and tcp health checks from the kubelet will not work since they do not have Istio-issued certs. |
5 | ||||
6 | ||||
7 | ||||
8 | ||||
9 |