Mutual TLS with External Services

Hey guys.

We have an Istio Mesh with Istio 1.3.8, mTLS enabled in our cluster.

Now we have to connect to an external service (API Gateway) which uses Mutual TLS. They have sent us the Keys we need to use for accessing their services and we’ve configured our Mesh as Following:

  • 1 Service Entry with MESH_EXTERNAL option
  • 1 Virtual Service getting traffic in port 80 as plain HTTP and redirecting to port 443
  • 1 Destination Rule, configuring port 443 with tls.mode: MUTUAL and clientCertificate and privateKey.

For mounting the provided keys into Istio sidecar, we’ve changed istio-sidecar-injector ConfigMap to add our secret into istio-proxy container. The issue is: only a few POD will communicate with that external service, but when any POD that was not restart tries to pull configuration from pilot, I can see the following warning in pilot logs:

"message:“Error adding/updating cluster(s) outbound|443|mtls-cluster| Invalid path: /etc/external-certs/clientCertificate.pem”

Is there a way to tell Istio to push this cluster only to the POD that will actually communicate with this service, so others do not need to mount the volume? Is there a better approach to mount the external certificates (like userMount annotation or any Citadel approach)?


You can go explore sidecar api which is to solve this problem, explicit stating the depdendency ouf outbound clusters. only selected scoped services are pushed to designated workloads.