Current issues with Istio integration with mTLS enabled
This page will track all the issues and workaround or solutions to address them when Istio is deployed in ONAP with mTLS enabled.
Pod Name | Issue | Workaround | Comments | |
---|---|---|---|---|
1 | message-router-kafka | Unable to connect to zookeeper | [2018-08-07 17:21:49,855] INFO Opening socket connection to server 10.42.2.218/10.42.2.218:2181. Will not attempt to authenticate using SASL (unknown error) (org.apache.zookeeper.ClientCnxn) This issue occurs both with mTLS enabled and when mTLS is disabled. | |
2 | message-router | message-router-kafka is not ready | Depends on 1 | |
3 | sdnc-dmaap-listener | message-router is not ready | Depends on 2 | |
4 | Http liveness probe | Mutual TLS can't work with K8S http/tcp liveness probe |
| If mutual TLS is enabled, http and tcp health checks from the kubelet will not work since they do not have Istio-issued certs. |
5 | ||||
6 | ||||
7 | ||||
8 | ||||
9 |