Can I disable mTLS on Istio so my sidecar will start without certs?

130 views Asked by At

We're moving some services to using istio 1.15(and later) from quite an old version, before istiod was introduced. On our old clusters TLS was disabled by default so none of our services needed certificates. Now with this new version, TLS is enabled by default and some services are happy to create certificates for this and some are not. Those services who don't have certs and have sidecar proxies enabled, won't run on our newer clusters because the certs it's looking for don't exist/aren't mounted: failed to start SDS server: failed to start workload secret manager failed to find root CA cert for CA: root CA file for CA does not exist ./etc/certs/root-cert.pem I'm trying to disable TLS altogether to keep everyone happy with no success.

I've tried overwriting IstioOperator with this setting which works for those services but then ingressgateway doesn't start: controlPlaneAuthPolicy: NONE I've created a PeerAuthentication policy mesh-wide but that doesn't stop the pods sidecars looking for certs on startup.

I've never really worked with istio before so any help would be greatly appreciated.

1

There are 1 answers

0
sirius78m On

The second I posted this I figured it out. We were using 3rd party certs so to switch back to using istio as the CA instead of disabling mTLS altogether I modified these two settings in the istio operator CRD:

# Was set to true hence the error above.
mountMtlsCerts: false

# Was set to custom
pilotCertProvider: istiod