Client to egressgateway - is it MTLS?

alexlo-corp · June 30, 2021, 6:00pm

Hi, Very short version of my earlier question - I have
Client → Egressgateway → internet target

How can I tell that Client → Egressgateway is MTLS or not?

Tools like Kiali want to look at Policy and say that flows are MTLS or not, but how can I tell from logs or other means?

Thanks

alexlo-corp · July 6, 2021, 3:24pm

Anyone trying to figure this out:

turn on logging (I suggest JSON format)
per 4 steps to debug your edge microservices in an Istio service mesh – IBM Developer - istioctl proxy-config log istio-egressgateway-b5c9c5-xxxxx.istio-system --level debug
(turn it on and off for your test, it makes lots of logs)
search for x-forwarded-client-cert and look at the spiffe IDs

Good luck.

Topic		Replies	Views
mTLS origination for egress traffic with custom mTLS between client istio-proxy and egress gateway Security	1	2853	June 9, 2021
mTLS origination on egress: selecting client certificates based on traffic source Networking security	3	948	May 6, 2020
Egressgateway via MTLS to TLS origination Networking	2	462	June 25, 2021
Is there a way I can confirm from istio logs that the sidecar communications are really mTLS	4	664	December 14, 2019
Mutual TLS origination by Egress Gateway Security	2	691	April 12, 2019