Kuma Mesh with delegated Kong Gateway

Questions
1

Hello together,

on my kubernetes cluster I have a Kuma Mesh running with a delegated Kong Gateway.
First I had only one Api with an ingress rule running. All worked like a charm. But when adding another ingress with the same port 80 (with different path), none of both routes are working anymore.

I am getting following error in the kong gateway pod:

2022/10/11 12:24:52 [error] 1113#0: *16687 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 10.224.0.6, server: kong, request: "GET /inspector HTTP/2.0", upstream: "http://10.0.181.253:80/inspector", host: "testing.example.net"

EDIT: I think this has something to do with mTLS enabled in the mesh. The kong sidecar expects a client certificate to communicate with the sidecar proxy of the inspector pod.
Is there a way to disable this at the kong sidecar?

EDIT2: Even with disabled mTLS this can’t be resolved…

Both are running in the same namespace with the kuma sidecar annotation.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: inspector-ingress
  namespace: testing
  annotations:
    cert-manager.io/cluster-issuer: acme-http01-cert-issuer
spec:
  ingressClassName: kong
  tls:
  - hosts:
    - testing.example.net
    secretName: acme-http01-cert-issued
  rules:
  - host: testing.example.net
  - http:
      paths:
      - path: /inspector
        pathType: ImplementationSpecific
        backend:
          service:
            name: inspector
            port:
              number: 80
      - path: /inspector
        pathType: ImplementationSpecific
        backend:
          service:
            name: inspector
            port:
              number: 443

apiVersion: v1
kind: Service
metadata:
  name: inspector
  namespace: testing
  labels:
    app: inspector
spec:
  selector:
    app: inspector
  ports:
    - protocol: TCP
      port: 443
      targetPort: 443
      name: https
    - protocol: TCP
      port: 80
      targetPort: 80
      name: http

These are my values how the kong gateway is configured:

# Basic values.yaml configuration for Kong for Kubernetes (with the ingress controller)

image:
  repository: kong
  tag: "3.0"

env:
  prefix: /kong_prefix/
  database: "off"
  log_level: "debug"

ingressController:
  enabled: true
  installCRDs: false
  image:
    tag: "2.7"

podAnnotations:
  kuma.io/gateway: enabled
  kuma.io/sidecar-injection: enabled

Here I added some tcp configuration to have access to a mqtt broker.

spec:
  template:
    spec:
      containers:
      - name: proxy
        env:
        - name: KONG_STREAM_LISTEN
          value: 0.0.0.0:1883
        ports:
        - containerPort: 1883
          name: mqtt
          protocol: TCP

spec:
  ports:
  - name: mqtt
    port: 1883
    protocol: TCP
    targetPort: 1883

And here how I have kuma configured:

apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
  name: default
spec:
  mtls:
    enabledBackend: ca-1
    backends:
    - name: ca-1
      type: builtin

apiVersion: kuma.io/v1alpha1
kind: TrafficPermission
mesh: default
metadata:
  namespace: testing
  name: all-traffic-allowed
spec:
  sources:
    - match:
        kuma.io/service: '*'
  destinations:
    - match:
        kuma.io/service: '*'

A lot of information. Hopefully someone can help me with this one. Thanks in advance! :slight_smile: