The solution is:
···
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: vault
namespace: vault
spec:
selector:
matchLabels:
app.kubernetes.io/instance: vault
mtls:
mode: UNSET
portLevelMtls:
8080:
mode: PERMISSIVE
8201:
mode: PERMISSIVE
443:
mode: PERMISSIVE
···
This put 8200 http connection into mtls, which is useful for application connecting vault.
Test result:
This test result show mtls works well.
• From app container, works.
• For injected container, raise error.
npcore2@ip-172-20-223-79:~/tmpmtls$ k exec -ti -n hpbp-stg-core nginx-f95db8445-74csm – bash
root@nginx-f95db8445-74csm:/# curl -H “X-Vault-Token: s.xxxx” -X GET http://vault.vault:8200/v1/hpbp-status/secrets
{“request_id”:“2fb93f1d-56fa-c344-d73a-3c5968c3c9f1”,“lease_id”:"",“renewable”:false,“lease_duration”:2764800,“data”:{“awsAccessKey”:“xxxx”,“awsAccessToken”:“xxx”,“clientId”:“f7f3cba4-xxxx-xx-a7b1-xxx”,“clientSecret”:“xxxxx-ENKCmH3hc2Q9bmks4qNnljc5x4”,“mongoUri”:“mongodb+srv://hpbp-dev-status:EbWc43rOha73GWw@global0.t8s5e.mongodb.net/hpbp-dev-status?retryWrites=true”,“pagerDutyToken”:“xxxx”,“redisToken”:“xxx”},“wrap_info”:null,“warnings”:null,“auth”:null}
root@nginx-f95db8445-74csm:/# exit
exit
npcore2@ip-172-20-223-79:~/tmpmtls$ k exec -ti -n hpbp-stg-core nginx-f95db8445-74csm -c istio-proxy – bash
istio-proxy@nginx-f95db8445-74csm:/$ curl -H “X-Vault-Token: s.xxxxx” -X GET http://vault.vault:8200/v1/hpbp-status/secrets
curl: (56) Recv failure: Connection reset by peer
This test result show vault-init container is injected.
npcore2@ip-172-20-223-79:~/tmpmtls$ k get pods
NAME READY STATUS RESTARTS AGE
nginx2-77bbf8cf45-9l569 0/3 Init:0/2 0 18m
This is vault log, no ERROR level log:
npcore2@ip-172-20-223-79:~/tmpmtls$ k logs -n vault vault-2 |grep "WARN\|ERROR"
2021-12-24T05:12:30.965Z [WARN] storage.mysql: No TLS specified, credentials will be sent in plaintext. To mute this warning add 'plaintext_connection_allowed' with a true value to your MySQL configuration in your config file.
2021-12-24T05:12:32.031Z [WARN] storage.mysql: No TLS specified, credentials will be sent in plaintext. To mute this warning add 'plaintext_connection_allowed' with a true value to your MySQL configuration in your config file.
npcore2@ip-172-20-223-79:~/tmpmtls$ k logs -n vault vault-1 |grep "WARN\|ERROR"
2021-12-24T05:12:20.244Z [WARN] storage.mysql: No TLS specified, credentials will be sent in plaintext. To mute this warning add 'plaintext_connection_allowed' with a true value to your MySQL configuration in your config file.
2021-12-24T05:12:21.328Z [WARN] storage.mysql: No TLS specified, credentials will be sent in plaintext. To mute this warning add 'plaintext_connection_allowed' with a true value to your MySQL configuration in your config file.
npcore2@ip-172-20-223-79:~/tmpmtls$
npcore2@ip-172-20-223-79:~/tmpmtls$
npcore2@ip-172-20-223-79:~/tmpmtls$ k logs -n vault vault-0 |grep "WARN\|ERROR"
2021-12-24T05:12:25.311Z [WARN] storage.mysql: No TLS specified, credentials will be sent in plaintext. To mute this warning add 'plaintext_connection_allowed' with a true value to your MySQL configuration in your config file.
2021-12-24T05:12:26.354Z [WARN] storage.mysql: No TLS specified, credentials will be sent in plaintext. To mute this warning add 'plaintext_connection_allowed' with a true value to your MySQL configuration in your config file.
Explain for solution:
Why we add 443? Because
npcore2@ip-172-20-223-79:~/tmpmtls$ k get svc -n vault
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
vault-agent-injector-svc ClusterIP 172.20.78.144 443/TCP 11d
Why we need add 8080, because vault_agent_injector is using 8080 as AGENT_INJECT_LISTEN.
If we do not add it, inject container will not be started.
Why we need add 8201 as non-mtls, but continue to use 8200 as mtls?
Because 8201 is https-internal, but 8200 is http which need be securer.
ports:
- name: http
port: 8200
protocol: TCP
targetPort: 8200
- name: https-internal
port: 8201
protocol: TCP
targetPort: 8201