Enable mTLS for ingress gateway but disable mTLS within the mesh

ritz · January 31, 2019, 7:11am

Hello!
I have Istio 1.0.5 on EKS.
I have enabled mTLS for ingress gateway and globally within the mesh. But i would like to disable the mTLS globally(service to service) and just keep the mTLS enabled for traffic coming into the mesh from outside via the ingress gateway.

This configuration doesnt seem to work for me. May be i am not doing something right .

global:

controlPlaneSecurityEnabled: true

mtls:

enabled: false

This is how my gateway yaml looks like

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: apigateway
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:

port:
number: 80
name: http
protocol: HTTP
tls:
httpsRedirect: true
hosts:
- “*”
port:
number: 443
name: https
protocol: HTTPS
tls:
mode: MUTUAL
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
caCertificates: /etc/istio/ingressgateway-ca-certs/ca-chain.cert.pem

hosts:
- “*”

YangminZhu · February 2, 2019, 3:03am

Would you mind to clarify a little more about what isn’t working in your case? Like is the gateway not working? or is the traffic inside the mesh having issues? Thanks.

Topic		Replies	Views
How to enable mTLS within mesh in AWS EKS? Security security	1	2299	October 26, 2020
mTLS working just between some services with tls-check showing STATUS OK Security	0	807	September 2, 2019
Optional mutal TLS for ingressgateway	3	885	June 7, 2019
Istio Gateway without mTLS	1	520	October 11, 2019
Accessing service using istio ingress gives 503 error when mTLS is enabled	0	490	January 13, 2019

Enable mTLS for ingress gateway but disable mTLS within the mesh

Related topics