NoServerCertificateVerificationPortLevel
Message Name | NoServerCertificateVerificationPortLevel |
Message Code | IST0129 |
Description | No caCertificates are set in DestinationRule, this results in no verification of presented server certificate for traffic to a given port. |
Level | Warning |
This message occurs when caCertificates
is not set in a destination rule, but is needed for the traffic policy.
Example
You will receive this message:
Error [IST0129] (DestinationRule db-tls.default) DestinationRule default/db-tls in namespace default has TLS mode set to SIMPLE but no caCertificates are set to validate server identity for host: mydbserver.prod.svc.cluster.local at port number:443
when your cluster has the following destination rule:
apiVersion: networking.istio.io/v1
kind: DestinationRule
metadata:
name: db-tls
spec:
host: mydbserver.prod.svc.cluster.local
trafficPolicy:
portLevelSettings:
- port:
number: 443
tls:
mode: SIMPLE
clientCertificate: /etc/certs/myclientcert.pem
privateKey: /etc/certs/client_private_key.pem
sni: my-nginx.mesh-external.svc.cluster.local
# caCertificates not set
In this example, the destination rule db-tls
specifies TLS, but does not set the CA certificate file.
How to resolve
- Supply the filename of a CA certificate
- Change the traffic policy so that a certificate is not needed