Enable permissive mTLS mode

Depending on the services you are onboarding, you may not need to enable permissive mTLS mode. If the service does not accept incoming traffic or accepts traffic from downstream services that are already part of the service mesh, then permissive mTLS mode is not required to continue.

To enable permissive mTLS mode for the service, set MutualTLSMode=permissive in the service defaults configuration entry for the service. The following example shows how to configure this setting for a service named example-service.

Kind      = "service-defaults"
Name      = "example-service"

MutualTLSMode = "permissive"

apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceDefaults
metadata:
  name: example-service
spec:
  mutualTLSMode: "permissive"

{
    "Kind": "service-defaults",
    "Name": "example-service",
    "MutualTLSMode": "permissive"
}

Refer to the service defaults configuration reference for information about all settings.

You can change this setting back to strict at any time to ensure mTLS is required for incoming traffic to this service.