Decrypt tls traffic at istio gateways


We are developing a Tracing tool that captures the network packets on pod interfaces and post process offline for monitoring purposes. One of the requirement from customer is to monitor traffic on ingress and egress gateways (ofcourse we use istio gateways :slight_smile: ) - tls enabled for both. While the capture is fine, got couple of questions regarding the decryption of data during post processing.

  • Is there any api with authorization or something that istiod or gateway provides for accessing the private key or session key (it sounds crazy) but I can’t see a better alternative for decrypting the data offline. This is critical in case of egress gateway, where the private key is configured by external server operator.
  • Is there any better approach for Tracing and monitoring tls traffic at the gateways??

Any kind of help or pointers is appreciated.