How to configure certs for DestinationRule using MUTUAL tls mode

Config
1

I’ve been experimenting with ways of configuring istio to perform mTLS with an endpoint outside of the cluster. I’ve found that using a ServiceEntry and a DesinationRule can achive this, however I had to do a bit of hacking to configure the certificates to use.

The DesinationRule looked like this:

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: mtls-foo
spec:
  host: foo.bar.baz
  trafficPolicy:
    tls:
      mode: MUTUAL
      clientCertificate: /etc/certs/myclientcert.pem
      privateKey: /etc/certs/clientkey.pem
      caCertificates: /etc/certs/rootca.pem

The DesinationRule documentation doesn’t state where those paths actually are or how to get the certificates to those paths. Istio / Destination Rule

I found that these paths were in the FS of the istio proxy. I found a way to get the certs there by:

  • creating a secret in my application’s namespace with the certifiacte chain, key, and trusted root.
  • using istioctl kube-inject to create a manifest for my application with the istio sidecar et al injected in.
  • editing the manifest to mount the secret in the istio-proxy with the certifiactes at the paths above.
  • applying the edited manifest with kubectl apply

How would one achieve this in production where istio is auto-injecting Pods with the mutating webhook?

2

I guess one way you could do it is editing the sidecar configuration template, in the istio-system (or other istio root) namespace, if you need this with all our pods.

You can check it with:

kubectl edit cm istio-sidecar-injector  -n istio-system

However, if you just need it a few workloads, you can add the following annotation to the spec.template.metadata.annotations of your Deployment:

        sidecar.istio.io/userVolumeMount: '[{"name":"certs","mountPath":"/etc/","readonly":true}]'

And under the volumes:

  volumes:
  - name: certs
    secret:
      name: your-secert

Hope this helps!