Error using tls MUTUAL in DestionationRule for external Service

Security
1

Hey Guys!

We have a service inside our Mesh that communicates with an external server using MUTUAL authentication. For that, we have created:

  1. A ServiceEntry for that service listening on Port 443
  2. A DestinationRule with tls mode MUTUAL with provided clientCertificate and privateKey referencing a mounted certificate into Sidecar (via annotation).

We a new POD starts, istio-proxy never gets Ready. It prints the following message:

warning    envoy config    [external/envoy/source/common/config/grpc_subscription_impl.cc:101] gRPC config for type.googleapis.com/envoy.api.v2.Cluster rejected: Error adding/updating cluster(s) outbound|443|mutual|api.gateway.com: Proto constraint validation failed (UpstreamTlsContextValidationError.CommonTlsContext: ["embedded message failed validation"] caused by CommonTlsContextValidationError.CombinedValidationContext: ["embedded message failed validation"] | caused by CombinedCertificateValidationContextValidationError.ValidationContextSdsSecretConfig: ["value is required"]):
common_tls_context {
tls_certificate_sds_secret_configs {
  name: "file-cert:/etc/apigateway-certificates/client.crt~/etc/apigateway-certificates/client.key"
  sds_config {
    api_config_source {
      api_type: GRPC
      grpc_services {
        envoy_grpc {
          cluster_name: "sds-grpc"
        }
      }
    }
  }
}

And, right after that, a lot of:

Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 5 rejected; lds updates: 10 successful, 0 rejected

We are using the following istio 1.6.2.
Can anyone help with this?

2

Hey guys. It turns out that, despite de documentation (https://istio.io/latest/docs/reference/config/networking/destination-rule/), caCertificates is a mandatory attribute when tls mode is MUTUAL (which makes perfect sense). We were not providing it to skip server auth for test purposes and that is why the error happened.

1 Like