Thanks for getting back to me, Sanjay. As far as I can tell, my client and server are both using the appropriate Xds credentials: The client code is at https://github.com/wfhartford/kotlin-grpc-xds/blob/18598a7e9210be7265bc753b136cb424d087ab77/client/src/main/kotlin/ca/cutterslade/kotlingrpcxds/client/main.kt#L26 Grpc.newChannelBuilder(targetUrl, XdsChannelCredentials.create(InsecureChannelCredentials.create())).build()
The server code is at https://github.com/wfhartford/kotlin-grpc-xds/blob/18598a7e9210be7265bc753b136cb424d087ab77/server/src/main/kotlin/ca/cutterslade/kotlingrpcxds/server/main.kt#L45 XdsServerBuilder.forPort(8443, XdsServerCredentials.create(InsecureServerCredentials.create())) The insecure credentials provided to both a fallback, and it looks like the sample you linked is doing the same thing. I'm not sure why, but I'm guessing that the secure connection is failing and it is falling back to insecure. Based on the example you linked, the only other requirement is that the GRPC_XDS_BOOTSTRAP environment variable is set, which is being done by the istio sidecar; kubectl describe pod shows that both the client and server containers have two environment variables injected: GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT: true GRPC_XDS_BOOTSTRAP: /etc/istio/proxy/grpc-bootstrap.json There are only two warning lines being logged from both the client and the server: 14:51:55.314 [main] WARN i.g.n.s.io.netty.bootstrap.Bootstrap - Unknown channel option 'SO_KEEPALIVE' for channel '[id: 0xba433026]' 14:51:55.314 [main] WARN i.g.n.s.io.netty.bootstrap.Bootstrap - Unknown channel option 'io.grpc.netty.shaded.io.netty.channel.epoll.EpollChannelOption#TCP_USER_TIMEOUT' for channel '[id: 0xba433026]' Do you know of anything else I might be missing that is required for a secure connection? Thanks, Wesley On Tue, May 23, 2023 at 11:10 PM 'sanjay...@google.com' via grpc.io < grpc-io@googlegroups.com> wrote: > On Wednesday, May 17, 2023 at 11:07:43 AM UTC-7 Wesley Hartford wrote: > > ... > What doesn't seem right: > > - A server interceptor reports that ServerCall.getSecurityLevel() > returns NONE, > > > Seems right when you are using InsecureChannelCredentials i.e. plaintext. > > > > - When I configure Istio to enforce STRICT mTLS via a namespace wide > PeerAuthentication resource, the client's connection to the server fails > with: io.grpc.StatusException: UNAVAILABLE: Connection timeout for > priority outbound|8443||server.kotlin-grpc-xds.svc.cluster.local[child1] > > > You will have to modify the client code to use XdsCredentials as described > in > https://github.com/grpc/grpc-java/tree/master/examples/example-xds#run-the-example-with-xds-credentials > . I am assuming the server is using XdsServerCredentials. > > > Is this the expected behavior, or have I missed something? > > Thanks for any insight you might have. > > Wesley > > -- > You received this message because you are subscribed to a topic in the > Google Groups "grpc.io" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/grpc-io/e20VVBIPd7M/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > grpc-io+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/grpc-io/3e513ace-30e7-4a7d-8023-dde3a904be3cn%40googlegroups.com > <https://groups.google.com/d/msgid/grpc-io/3e513ace-30e7-4a7d-8023-dde3a904be3cn%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/CA%2B%2B-c5w3J6ROX1NRmHFmhficeh-YRDe0Y1b6EUR%2B40hYDhEpjw%40mail.gmail.com.