I've Istio 1.4.0 running on Kubernetes 1.15.9. I'm trying to achieve below but the more I read Istio documentation the more I'm getting confused. Let me put it in a simple way.
First thing is, I want to have mTLS for maximum services (if possible).
I've one elasticsearch-master pod with service exposed on 9300. I've one elasticsearch-data pod with service exposed on 9200 and 9300. When I've Istio's default Automatic mTLS enabled, both of these pods work nice and a helathy ES cluster starts up. I think that's because ES master and data nodes communicate over port 9300. Also, I don't want to access any of these ES pods from outside of K8S cluster.
Now, I want to start one Kibana pod with service exposed on 5601. When I start Kibana pod with Istio's default Automatic mTLS enabled, it fails to start. Because it can't connect to elasticsearch-data service on 9200. I'm getting all kinds of SSL errors (may be because of whole mTLS thing?). I don't know if it's even possible to have this connection with this whole Istio's Automatic mTLS enabled. Also, I want to access this Kibana from outside of K8S cluster.
Appreciate your help. Thanks.
Kibana is working with http URL only. But in order to make elasticsearch master and node communicate with each other I've to put port 9300 in exclude list of Istio.