Current issues with Istio integration with mTLS enabled

This page will track all the issues and workaround or solutions to address them when Istio is deployed in ONAP with mTLS enabled.

Pod Name

Issue

Workaround

Comments

Pod Name

Issue

Workaround

Comments

1

message-router-kafka

Unable to connect to zookeeper



[2018-08-07 17:21:49,855] INFO Opening socket connection to server 10.42.2.218/10.42.2.218:2181. Will not attempt to authenticate using SASL (unknown error) (org.apache.zookeeper.ClientCnxn)
[2018-08-07 17:21:49,856] INFO Socket connection established to 10.42.2.218/10.42.2.218:2181, initiating session (org.apache.zookeeper.ClientCnxn)
[2018-08-07 17:21:49,857] WARN Session 0x0 for server 10.42.2.218/10.42.2.218:2181, unexpected error, closing socket connection and attempting reconnect (org.apache.zookeeper.ClientCnxn)
java.io.IOException: Packet len352518400 is out of range!

The error only occurs when dmaap is deployed with Istio. Without Istio, dmaap comes up fine.

This issue occurs both with mTLS enabled and when mTLS is disabled.

2

message-router

message-router-kafka is not ready



Depends on 1

3

sdnc-dmaap-listener

message-router is not ready



Depends on 2

4

Http liveness probe

Mutual TLS can't work with K8S http/tcp liveness probe



If mutual TLS is enabled, http and tcp health checks from the kubelet will not work since they do not have Istio-issued certs.

5









6









7









8









9