Definition of mTLS for Kafka using DestinationRule

I’m trying to to secure the tcp connection from a pod to the Kafka broker with mTLS. The first step I was trying, was to create a DestinationRule and VirtualService with mTLSfor the Kafka service. Since it is hard to verify if the Kafka connections are encrypted with plain tcpdump. I looked into the Prometheus metrics of the Envoy proxy. The metrics for the Kafka broker show that the connection_security_policy is “unknown”. This metric stays the same, if I enable global mTLS for complete service mesh. Also, what I find a bit odd is that the Prometheus metrics for the Envoy show as the service destination_service=“demo-app-log-cluster-kafka-brokers.kafka.svc.cluster.local” whereas tcpdump shows as the endpoint demo-app-log-cluster-kafka-0.demo-app-log-cluster-kafka-brokers.kafka.svc.cluster.local.9092. Which makes more sense, because (from my point of view as a Kafka noob) a Kafka client is talking directly with a pod and not to the Kafka service. I tried to create a ServiceEntry for the Kafka pod with no success. Does someone have an idea how to setup mTLS for Kafka explicit with DestinationRules and VirtualServices? Is there an easy way to verify that Kafka requests are using the mTLS?

Thanks in advance,


Does Kafka is part of mesh? If you need to use mTLS from istio you will need to use plain http from inside app in source pod.

Kafka is part of the mesh. I would like to mTLS from Istio and not from Kafka for the communication (if it is possible).