Let's say a Istio enabled Service A
exposes a port 8080
which is named http
and as such Istio performs L7 load balancing when accessing it from inside of the mesh.
I'd like to know if there is a way to access this 8080
port from a pod/service B
that doesn't have the Istio sidecar. In such case the traffic would be:
B -> A Envoy -> A
or
B -> A
This way, I'm able to access an A
's port that is not named http
(i.e., only L4 load balancing is in place)
My particular use-case is that I have Prometheus (not running in the mesh) with Prometheus Operator scraping the services running in the mesh directly (Istio Mixer is not involved; the services expose their own business logic metrics). It works for me only and only if a given service doesn't name its port http
.
If you have auth (mTLS) enabled it doesn't work, by design, as in that case Istio tries to protect all service to service communication.
You can turn auth off, and if that doesn't help, also try with the Istio 0.2.4 release candidate (or whichever is the latest at the time you read this, see https://github.com/istio/istio/releases) and see if the problem persists, if it does please file an issue at https://github.com/istio/issues/issues/new
In 0.3 (and possibly earlier) we'll let you have fine grain control over mTLS.