Enable mTLS for ingress gateway but disable mTLS within the mesh


#1

Hello!
I have Istio 1.0.5 on EKS.
I have enabled mTLS for ingress gateway and globally within the mesh. But i would like to disable the mTLS globally(service to service) and just keep the mTLS enabled for traffic coming into the mesh from outside via the ingress gateway.

This configuration doesnt seem to work for me. May be i am not doing something right .

global:

controlPlaneSecurityEnabled: true

mtls:

enabled: false

This is how my gateway yaml looks like

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: apigateway
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:

  • port:
    number: 80
    name: http
    protocol: HTTP
    tls:
    httpsRedirect: true
    hosts:

    • “*”
  • port:
    number: 443
    name: https
    protocol: HTTPS
    tls:
    mode: MUTUAL
    serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
    privateKey: /etc/istio/ingressgateway-certs/tls.key
    caCertificates: /etc/istio/ingressgateway-ca-certs/ca-chain.cert.pem

    hosts:

    • “*”

#2

Would you mind to clarify a little more about what isn’t working in your case? Like is the gateway not working? or is the traffic inside the mesh having issues? Thanks.