Basic Authentication between services when istio not injected yet


Is it possible somehow to allow basic user authentication between microservices on the mesh?
our current cluster-internal communication is user-pass one.

we want to enable Istio and gradually add services to the mesh so they will be use mTLS and will ditch the user-password approach.

but, in order to do it one by one, we should have the ability to do something like:

  • communication between 2 istio-enabled services will be using mtSL
  • communication between services while one of them not yet istio-enabled will be with user-password (instead of plainText).

what is the right way of doing so?
keeps the user-pass approach and services that will be added to istio, will have 2 layers of auth, both encryption and user-password, and once all services will be migrated to istio, remove the user-password?

maybe do some kind of check on Envoy to see and decide when to use user-password somehow?


Basic authentication is just setting the Authorization header, and without TLS it’ll always be plainText. In my opinion using basic authentication between services wont add much security if you are not already encrypting traffic. You could use NetworkPolicies if you only want certain apps to talk to each other instead. If you do want some type of request authentication i would recommend JWTs which are supported by istio. Again if you are not using TLS the same security issues apply.

I Agree.
once all our services will be migrated to Istio, they will use mTLS and we will ditch the current user-password approach.
i was just wondering how do do it gradually.
i guess i will need to leave it as it is and once all services will be migrated to remove the user-pass.