How to configure certs for DestinationRule using MUTUAL tls mode

I’ve been experimenting with ways of configuring istio to perform mTLS with an endpoint outside of the cluster. I’ve found that using a ServiceEntry and a DesinationRule can achive this, however I had to do a bit of hacking to configure the certificates to use.

The DesinationRule looked like this:

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: mtls-foo
spec:
  host: foo.bar.baz
  trafficPolicy:
    tls:
      mode: MUTUAL
      clientCertificate: /etc/certs/myclientcert.pem
      privateKey: /etc/certs/clientkey.pem
      caCertificates: /etc/certs/rootca.pem

The DesinationRule documentation doesn’t state where those paths actually are or how to get the certificates to those paths. Istio / Destination Rule

I found that these paths were in the FS of the istio proxy. I found a way to get the certs there by:

  • creating a secret in my application’s namespace with the certifiacte chain, key, and trusted root.
  • using istioctl kube-inject to create a manifest for my application with the istio sidecar et al injected in.
  • editing the manifest to mount the secret in the istio-proxy with the certifiactes at the paths above.
  • applying the edited manifest with kubectl apply

How would one achieve this in production where istio is auto-injecting Pods with the mutating webhook?

I guess one way you could do it is editing the sidecar configuration template, in the istio-system (or other istio root) namespace, if you need this with all our pods.

You can check it with:

kubectl edit cm istio-sidecar-injector  -n istio-system

However, if you just need it a few workloads, you can add the following annotation to the spec.template.metadata.annotations of your Deployment:

        sidecar.istio.io/userVolumeMount: '[{"name":"certs","mountPath":"/etc/","readonly":true}]'

And under the volumes:

  volumes:
  - name: certs
    secret:
      name: your-secert

Hope this helps!