Bug Description
If mTLS for a destination is enabled via a DR in a namespace other than istio-system, the eastwest gateway will never get endpoints for the destination service.
This is due to the fact that the eastwest gateway still applies endpoint filters, which use the mtlsChecker. East-west's mtlsChecker will have no DR for the service (since the DR was not applied to the istio-system namespace) and will therefore assume the default non-mTLS setting, which means that the endpoint will be filtered from the east-west gateway.
Judging by the comment in that code, it appears this was intentional. However, I'm not sure that this particular case was considered or tested. Other parts of the logic for eastwest gateway ignore DR, and I suspect this should as well.
Version
Additional Information
No response
Bug Description
If mTLS for a destination is enabled via a DR in a namespace other than
istio-system, the eastwest gateway will never get endpoints for the destination service.This is due to the fact that the eastwest gateway still applies endpoint filters, which use the
mtlsChecker. East-west'smtlsCheckerwill have no DR for the service (since the DR was not applied to theistio-systemnamespace) and will therefore assume the default non-mTLS setting, which means that the endpoint will be filtered from the east-west gateway.Judging by the comment in that code, it appears this was intentional. However, I'm not sure that this particular case was considered or tested. Other parts of the logic for eastwest gateway ignore DR, and I suspect this should as well.
Version
Additional Information
No response