I’ve been experimenting with ways of configuring istio to perform mTLS with an endpoint outside of the cluster. I’ve found that using a ServiceEntry and a DesinationRule can achive this, however I had to do a bit of hacking to configure the certificates to use.
The DesinationRule looked like this:
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: mtls-foo
spec:
host: foo.bar.baz
trafficPolicy:
tls:
mode: MUTUAL
clientCertificate: /etc/certs/myclientcert.pem
privateKey: /etc/certs/clientkey.pem
caCertificates: /etc/certs/rootca.pem
The DesinationRule documentation doesn’t state where those paths actually are or how to get the certificates to those paths. Istio / Destination Rule
I found that these paths were in the FS of the istio proxy. I found a way to get the certs there by:
- creating a secret in my application’s namespace with the certifiacte chain, key, and trusted root.
- using
istioctl kube-inject
to create a manifest for my application with the istio sidecar et al injected in. - editing the manifest to mount the secret in the istio-proxy with the certifiactes at the paths above.
- applying the edited manifest with
kubectl apply
How would one achieve this in production where istio is auto-injecting Pods with the mutating webhook?