I’ve been experimenting with ways of configuring istio to perform mTLS with an endpoint outside of the cluster. I’ve found that using a ServiceEntry and a DesinationRule can achive this, however I had to do a bit of hacking to configure the certificates to use.
The DesinationRule looked like this:
apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: mtls-foo spec: host: foo.bar.baz trafficPolicy: tls: mode: MUTUAL clientCertificate: /etc/certs/myclientcert.pem privateKey: /etc/certs/clientkey.pem caCertificates: /etc/certs/rootca.pem
The DesinationRule documentation doesn’t state where those paths actually are or how to get the certificates to those paths. Istio / Destination Rule
I found that these paths were in the FS of the istio proxy. I found a way to get the certs there by:
- creating a secret in my application’s namespace with the certifiacte chain, key, and trusted root.
istioctl kube-injectto create a manifest for my application with the istio sidecar et al injected in.
- editing the manifest to mount the secret in the istio-proxy with the certifiactes at the paths above.
- applying the edited manifest with
How would one achieve this in production where istio is auto-injecting Pods with the mutating webhook?