Enable STRICT MTLS for external clients

I have a flat network and each pod has a routable IP.

Setup

I have enabled MTLS -

  1. DestinationRule has tls MUTUAL (should not matter in this case)
  2. Policy - is said to STRICT TLS.

I am using my own CA and want a client outside the mesh to access an MTLS enabled service inside the mesh.

My findinds

Istio-proxy logs on the service pod show has_user: false when client is external.
Shows has_user: true when client is internal.

Question

Is it even possible to do what I am trying to do? In the migration document its mentioned existing clients using plain text.

I don’t think there will be a problem if you configure everything correctly.

Could you be more explicit what’s the error you see? Are you using the same CA for issuing certs inside and outside the cluster? The external client connects to the Pilot to get the secure naming info?

Thanks for checking back Oliver.

The issue got resolved, the client cert I used did not have URI: entry in its SAN, hence it was getting rejected.

@Oliver - I got it working for an external client.

But I have two clients, internal (in mesh) and external.

To enforce in mesh client MTLS, I need DestinationRule.

When I have DestinationRule with MUTUAL policy, then it blocks external client (which passes client certs)

If I remove DestinationRule or use mode: DISABLE then it works.

Have you tested this scenario?

The error that I see in my server’s istio-proxy is

[2022-02-07T13:14:31.620Z] "- - -" 0 NR filter_chain_not_found - "-" 0 0 0 - "-" "-" "-" "-" "-" - - 192.168.45.132:8080 192.168.45.173:49310 - -

The cert that I am using does have a URI as such

X509v3 Subject Alternative Name: critical
                URI:spiffe://cluster.local/ns/default/sa/myclient

And the curl command that I use from my client Pod is something like this

curl -I http://mytlssvc.default.svc --resolve mytlssvc.default.svc:80:<clusterIP> -v --cacert /etc/prom-certs/root-cert.pem  --cert /etc/prom-certs/cert-chain.pem  --key /etc/prom-certs/key.pem -k

Could you please help.
Thanks

EDIT:
In addition to this, I am not using my own CA. I get the certificate via istio using this prometheus example mentioned here