Dear Community!
Istio is mission critical for our project and I am responsible to make it all work across 300+ microservices.
I researched Istio for half a year and did a POC on basically everything, except one topic. The one thing we were absolutely sure based on the docs that mTLS won’t be a problem as Istio automatically handles the certificates - tunnels the communication to proxy to proxy and switching it on - we can automatically use https with mtls. Sadly that is not the case.
We have REST based APIs across the cluster - that can be called from other services, and we categorized them. We have our root.ca that we took and created the necessary certs and keys to Istio and added it to the cluster. We installed Istio after - as per documentation.
Everything works, our VirtualService routing,Headless service for the main categories, AuthorizationPolicy and you name it. But if we apply STRICT mode to the services experienced the following: (PERMISSIVE mode works perfectly ofc)
curl -i -X GET https//istio-validator-svc.main-category1.foo.svc.cluster.local:3011/validate
I receive this error: self signed certificate in certificate chain
Of course http will result in Empty Response From server.
I added DestionationRule to the target services with ISTIO_MUTUAL - nothing really changed.
Also as we only have internal communications for now that will rely on Istio we do NOT use Istio Ingress Gateways.
Istio / Plug in CA Certificates This doc does not really tell you either that how the two services (here sleep and httpbin) shall communicate together through mTLS tunneled communication.
Also found this article Istio / Destination Rule
But this does not make sense to me to semi-manually add these certs and keys to the clients (basically every possible microservice that can be called via their Docker file or Deployment)
What do I miss?
Please help me figure out this 