Hi, I’m on Istio 1.8 and before that I was working with 1.3 some time ago.
I tried to do curl from istio-proxy container in a mtls-enabled cluster to other service, but can’t find the certificates to present anymore. How this thing is done these days?
I double checked my mtls config for the pod I tried to curl from:
DestinationRule: productpage for "productpage"
Matching subsets: v1
Traffic Policy TLS Mode: ISTIO_MUTUALNot sure about Istio 1.3, but if you are referring to the dynamic certificates generated for the service account corresponding to the istio-proxy container periodically (since you are using ISTIO_MUTUAL), you can obtain them by issuing the following command from outside the cluster
istioctl pc secret pod-name -n namespace
From inside the container, this might be more challenging, since these certificates reside only in memory and are not backed up in the file-system any more.
Thanks mate, this is good enough explanation. That makes a lot of sense.