When creating a TemporalCluster resource with MTLS.provider: istio, this creates PeerAuthentication resources with the mutual TLS set to STRICT mode, as expected.
There is an issue if the metrics collector isn't itself using Istio, and therefore doesn't (automatically) have mTLS enabled when it connects to the metrics port. These requests will then fail.
In our case, this happens because we're using the DataDog agent in hostNetwork: true mode, in which case Istio sidecars are not automatically injected into the pod.
It would be handy if we could create an exception for the metrics port. Say for example,
mTLS:
provider: istio
permissiveMetrics: true # Allow non-TLS requests to the metrics port
refreshInterval: 1h0m0s
which would add the following to the PeerAuthentication resource created by the operator:
portLevelMtls:
9090:
mode: PERMISSIVE
When creating a
TemporalClusterresource withMTLS.provider: istio, this createsPeerAuthenticationresources with the mutual TLS set to STRICT mode, as expected.There is an issue if the metrics collector isn't itself using Istio, and therefore doesn't (automatically) have mTLS enabled when it connects to the metrics port. These requests will then fail.
In our case, this happens because we're using the DataDog agent in
hostNetwork: truemode, in which case Istio sidecars are not automatically injected into the pod.It would be handy if we could create an exception for the metrics port. Say for example,
which would add the following to the
PeerAuthenticationresource created by the operator: