Seldon Operator and Istio with strict mTLS does not work

[fico-jessecarroll]

Hello.

I came across issues when deploying models in the scenario described in the title. Is this supported? The work-around was to add a policy to the namespace to allow permissive mTLS. Can this be an enhancement if not supported at this time?

Thanks

[ukclivecox]

This sounds like a useful enhancement. Can you explain more the issue and are you able to provide a PR (maybe just docs) to illustrate the fix?

[fico-jessecarroll]

Sure. I'll try to find some time today or early next week. The work-around policy manifest is fairly straight forward.
apiVersion: "authentication.istio.io/v1alpha1" kind: "Policy" metadata: name: "default" spec: peers: - mtls: mode: PERMISSIVE
This I found needs to be applied in the namespace of seldon and the namespace where the model is deployed, otherwise, the pod of the model reports a 503. I have't had time to dig into debugging the istio-proxy sidecar.

[fico-jessecarroll]

Created a pull request. Have you 'merged' this into core? If so, i can create pull request for that as well if you approve this.
Thanks

[ukclivecox]

Yes. Would be great to open on there.

[ukclivecox]

Will this be ok for users who don't want mTLS?

[fico-jessecarroll]

I'll open an issue in the seldon-core project and put in a pull request.

So I tested both permissive and strict mTLS and this seems to work with both. You and your team are obviously free to test/verify, catch any usecase I might have missed.

Thanks