Can I disable mTLS in transparent sidecar proxy but keep the ServiceIntentions enforcement rules? I can’t seem to make mTLS work seamlessly so I’d like to get rid of it though traffic approve/deny enforcement via intentions is something I’d happily keep.
You can’t disable mTLS at the moment, unfortunately.
What is it about mTLS that doesn’t work seamlessly?
Things such as
- Make Traefik not expose underlying Consul TLS - Traefik v2 - Traefik Labs Community Forum
- I’ve noticed that this issue occurs much less frequently now that I don’t use proxy (not sure if that was the culprit as this issue still occurs, just rarely)
- I was also worried about this comment. In fact I’m trying to integrate Vault with existing Consul cluster right now and it’s not an easy task even w/o the proxy…
Traefik 2.5 gained support for natively integrating with Consul service mesh (https://traefik.io/blog/integrating-consul-connect-service-mesh-with-traefik-2-5/).
Have you considered using this instead of deploying a sidecar alongside Traefik? This would allow Traefik to directly initiate mTLS connections to backend services instead of routing through an Envoy sidecar.