Configuring Mutual TLS through MCP


#1

We (CloudFoundry mesh networking team) are trying to enable mTLS via MCP. We were able to configure Destination Rules (code below), which seems like it’s the only part that can be configured in the Protos currently.

Code here:

Unfortunately, this isn’t working. We’ve identified a discrepancy in Envoy’s config_dump between a working kube deployment, and a non-working CF deployment, that we think might point to the problem.

In CF, this has added a tls_context to all the dynamic_active_clusters, which has all the information we would expect. However, connections fail while negotiating.

In Kube, there’s a section under dynamic_active_listeners that has a tls_context, and the clusters do not. How can we get our config to look like this through MCP?

I can provide full dumps of our CF envoy config (and the kube envoy config we’re comparing it to) if desired.

PS I tried joining the Slack, but sign ups appear closed which is unfortunate. If you’d like to have a real-time conversation you can find us in the Cloud Foundry slack in #istio.


#2

@rshriram - could you help with bubbling this up with the right folks in the istio-networking community?


#3

@shannoncoen - if you can help with bubbling this up too.


#4

mTLS requires two pieces… DestinationRules and authpolicies… auth policies are enabled using a separate CRD. I am not sure if that CRD is shipped via Galley or not.


#5

Bump? We’re a little blocked on this.


#6

I responded to @shubhaat over slack didn’t i?


#7

Make sure Galley is shipping MeshPolicy (authentication.istio.io/…) CRD. if it doesn’t, then thats where your problem lies