mTLS Permissive mode - Non-mesh service cannot call to mesh service #4553
Description
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
- If you are interested in working on this issue or have submitted a pull request, please leave a comment.
Overview of the Issue
I'm onboarding the k8s service into Consul Mesh with mTLS permissive mode. After applying the mTLS permissive configuration, the mesh service can call to the non-mesh service, but the non-mesh service cannot call to the mesh service.
Reproduction Steps
- Allow permissive mTLS modes for incoming traffic
apiVersion: consul.hashicorp.com/v1alpha1 kind: Mesh metadata: name: mesh spec: allowEnablingPermissiveMutualTLS: true transparentProxy: meshDestinationsOnly: false - Enable permissive mTLS mode for the service
apiVersion: consul.hashicorp.com/v1alpha1 kind: ServiceDefaults metadata: name: static-server spec: mutualTLSMode: "permissive"
Logs
-
Mesh service can call to mesh service
-
Mesh service can call to non-mesh service
-
Non-mesh service cannot call to mesh service
Expected behavior
- When enable permissive mode, non-mesh service can call to mesh service.
Environment details
- Kubernetes version: RKE2 1.28.15+rke2r1
- CNI: Calico