ISTIO_MUTUAL for gateway

istio version: 1.5.2

kubernetes version: 1.17

we followed the document provied in the link https://archive.istio.io/v1.5/pt-br/docs/tasks/security/citadel-config/plugin-ca-cert/ instead of providing example pem file we created our own pem certificate.

  1. How certificates are generated
    we used the script available in the link https://github.com/nicholasjackson/mtls-go-example/blob/85f7453487e47c018961ca11f3526fd3e5d888d9/generate.sh for the generation of the certificate and created we created root , intermediate-ca, server certificate and client certificate

  2. Command used to create secret
    kubectl create secret generic cacerts -n istio-system --from-file=2_intermediate/certs/ca-cert.pem --from-file=2_intermediate/private/ca-key.pem --from-file=1_root/certs/root-cert.pem --from-file=2_intermediate/certs/cert-chain.pem

  3. gateway
    In the gateway configuration we mentioned host as * and mode as “ISTIO_MUTUAL”
    eg:

    • hosts:
    • ‘*’
      port:
      name: https
      number: 443
      protocol: HTTPS
      tls:
      mode: ISTIO_MUTUAL
  4. curl command for testing the configuration

    curl -v --cacert 2_intermediate/certs/ca-cert.pem --cert 4_client/certs/alertmanager.example.com.cert.pem --key 4_client/private/alertmanager.example.com.key.pem https://alertmanager.example.com:31390/alertmanager

    Initializing NSS with certpath: sql:/etc/pki/nssdb

  • CAfile: 2_intermediate/certs/ca-chain.cert.pem
    CApath: none
  • Server certificate:
  •   subject: (nil)
    
  •   start date: Jun 10 03:14:43 2020 GMT
    
  •   expire date: Sep 08 03:14:43 2020 GMT
    
  •   common name: (nil)
    
  •   issuer: CN=alertmanager.example.com,O=Dis,ST=Denial,C=US
    
  • NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)
  • Peer’s certificate issuer has been marked as not trusted by the user.
  • Closing connection 0
  1. ingress gateway log having error

[Envoy (Epoch 0)] [2020-06-10 06:53:51.096][19][debug][http] [external/envoy/source/common/http/conn_manager_impl.cc:1276] [C1][S5834571573276687585] request end stream
[Envoy (Epoch 0)] [2020-06-10 06:53:51.096][19][debug][admin] [external/envoy/source/server/http/admin.cc:1343] [C1][S5834571573276687585] request complete: path: /stats?usedonly&filter=server.state
[Envoy (Epoch 0)] [2020-06-10 06:53:51.097][19][debug][http] [external/envoy/source/common/http/conn_manager_impl.cc:1616] [C1][S5834571573276687585] encoding headers via codec (end_stream=false):
‘:status’, ‘200’
‘content-type’, ‘text/plain; charset=UTF-8’
‘cache-control’, ‘no-cache, max-age=0’
‘x-content-type-options’, ‘nosniff’
‘date’, ‘Wed, 10 Jun 2020 06:53:51 GMT’
‘server’, ‘envoy’

[Envoy (Epoch 0)] [2020-06-10 06:53:51.829][30][debug][filter] [external/envoy/source/extensions/filters/listener/tls_inspector/tls_inspector.cc:78] tls inspector: new connection accepted
[Envoy (Epoch 0)] [2020-06-10 06:53:51.957][30][debug][filter] [external/envoy/source/extensions/filters/listener/tls_inspector/tls_inspector.cc:148] tls:onServerName(), requestedServerName: alertmanager.example.com
[Envoy (Epoch 0)] [2020-06-10 06:53:51.957][30][debug][conn_handler] [external/envoy/source/server/connection_handler_impl.cc:353] [C26] new connection
[Envoy (Epoch 0)] [2020-06-10 06:53:51.959][30][debug][connection] [external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:191] [C26] handshake expecting read
[Envoy (Epoch 0)] [2020-06-10 06:53:51.959][30][debug][connection] [external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:191] [C26] handshake expecting read
[Envoy (Epoch 0)] [2020-06-10 06:53:51.961][30][debug][connection] [external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:198] [C26] handshake error: 1
[Envoy (Epoch 0)] [2020-06-10 06:53:51.961][30][debug][connection] [external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:226] [C26] TLS error: 268436504:SSL routines:OPENSSL_internal:TLSV1_ALERT_UNKNOWN_CA
[Envoy (Epoch 0)] [2020-06-10 06:53:51.961][30][debug][connection] [external/envoy/source/common/network/connection_impl.cc:192] [C26] closing socket: 0

The problem we faced is you have to give the complete chain in while creating the secret. We use SIMPLE for the TLS settings but hopefully this would work for ISTIO_MUTUAL as well.

assuming your cert name is mycert.pfx

here is the commands to get the complete chain

openssl pkcs12 -in mycert.pfx -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > mycert.certs.pem

here is the key command. open the pem and remove the BAG attributes.

openssl pkcs12 -in mycert.pfx -nocerts -nodes -out mycert_key.pem

so your secret command would look like this

kubectl create -n istio-system secret generic gkegatewaysecret \
    --from-file=key=./mycert_key.pem \
    --from-file=cert=./mycert_cert.pem

your gateway yaml would look something like this

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: ingress-gateway
spec:
  selector:
    istio: ingressgateway # use Istio default gateway implementation
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: ISTIO_MUTUAL
      credentialName: "gkegatewaysecret"
    hosts:
    - "*"

Hope that works.

@Sabyasachi2k Thanks for the response ,

please find the below link …it is mentioned not to provide any TLSOptions in the gateway for the mode istio_mutual.

But in the above example we are passing credential name .

please help me in the understanding of the same .

@Aravind
You are correct when giving the ISTIO_MUTUAL it is not needed to give the certs. Sds takes care of it. We have not used this option. We used SIMPLE and used the credential name and configured the mesh to make mTLS enabled for intra mesh communication.

thank you @Sabyasachi2k for the info.

can you share any example document or procedure for the above mentioned step. it would be really helpful.

@Aravind
I already gave that in my previous reply. Let me know if that helps