This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 49%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EUK%3C/text%3E%3C/svg%3E)
We have our application running in aks cluster and using cert-manager helm chart in separate namespace for lets encrypt certificate generation. argocd namespace is for handling deployments.
We need to enable mTLS, does that required istio to be labelled on argocd,cert-manager namespaces also?
And, we already have azure appgateway ingress to route traffic to the deployments running in our namespace, so didn’t enabled istio ingress.
Once I enabled strict option at global level, the routing is not working from azure app gateway ingress to our application.
kubectl apply -n istio-system -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
spec:
mtls:
mode: STRICT
EOF
And getting 502 bad gateway.
If I remove above peerauthentication or change that to PERMISSIVE.
Then it is able to access page without 502 error.
What to do for this to implement strict mode but without istio ingress.
kubectl edit peerauthentication -n istio-
Hello Uday Kiran Reddy (ureddy)
Any update on the issue?
Just checking in to see if you got a chance to see previous response.
If the suggested response helped you resolve your issue, please 'Accept as answer', so that it can help others in the community looking for help on similar topics.
Hello Uday Kiran Reddy (ureddy)
Firstly, apologies for the delay in responding here.
In order to achieve mTLS , the ingress gateway and the backend application must both present and verify certificates. Application Gateway does not have support for backend TLS encryption (often called re-encrypt).
I checked with internal team on this, support for using the Istio addon with Application Gateway for Containers is in product team roadmap. There is no ETA on this yet.
Hope this helps.
I tried keeping istio ingress in the middle between application and app gateway. But, application and app gateway related ingress both are in application namespace and istio ingress gateway will be in the istio-system or istio-gateway namespace. There is no option I found to route traffic from app gateway to a kubernetes service (istio ingress here) in a different namespace.
Can you please guide on that.
Hello Uday Kiran Reddy (ureddy)
Can you please confirm specific app gateway you are using?
azure application gateway (tried both waf and standard v2).
And istio ingress pointed to it
Hello Uday Kiran Reddy (ureddy)
Apologies for delayed response on this.
Can you please confirm if you are using managed istio addon, or you have deployed your own istio from OSS? If latter, it is not supported.
I tried both
Hello Uday Kiran Reddy (ureddy)
This issue needs deeper investigation. Support team will be able to check and help on this. I would recommend you to open a azure support case.
If you don't have a support plan enabled on your subscription, I request you to send an email to AzCommunity@Microsoft.com with Subject as "Attn:Vikas" referencing this thread along with your subscription ID. I can then enable your subscription with a one-time free technical support.
Once the issue is resolved, request you to post the resolution here for the benefit of community.