There is an article on how to pass TLS through Ingress and terminate it on the workload - https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/
Instead, I’d like to terminate it on the workload’s proxy (Envoy), and have the proxy doing the regular Istio’s authentication and authorization.
What config do I need to apply in order to achieve that? (of the gateway, virtual service, etc)
My use case is:
I have a set of services I’m migrating to Istio, they already use mTLS to communicate with each other.
The services will be migrated gradually, so these cases are possible:
- the client is outside of mesh, while the server is inside
- visa versa
I plan to plug in existing TLS root and intermediate certificates as per https://istio.io/latest/docs/tasks/security/cert-management/plugin-ca-cert/ so the leaf services’ certificates in both systems will have a common root cert, so the services in the both systems should be able to trust each other.