Restricting service access via AUTO_PASSTHROUGH gateway

Networking
1

I’ve been attempting to setup 2 separate meshes (Istio 1.8.2) with shared trust via a common root certificate, with the hope that I’d be able to take advantage of istio mTLS-based authentication/authorization policies across meshes.

I’ve essentially followed the instructions for setting up a ‘multi-primary multi-network’ mesh (Istio / Install Multi-Primary on different networks), with the following exceptions:

  • Separate meshIds for each
  • Automatic ‘endpoint discovery’ not enabled (service/endpoints/serviceentries setup manually in each mesh instead)

I was hoping to be able to limit the exposure of services between the meshes via controls of the eastwest ingress gateway, but have been unable to find a viable way of doing this.

Some of the things I’ve tried:

  • Adding Virtual Services with the existing ‘AUTO_PASSTHROUGH’ Gateway tls mode (seem to be ignored altogether)
  • Replacing the ‘AUTO_PASSTHROUGH’ setting mode with ‘PASSTHROUGH’, and configuring tls-based VirtualServices (traffic seems to ‘get through’ the gateway, but is rejected with TLS errors. Also have struggled to find settings for ‘host’ and ‘sniHost’ matches which work other than “*”, I assume because the mTLS SNI host doesn’t match the Host header host?)
  • Using a ‘standard’ ingress gateway, rather than the special ‘eastwest gateway’ setup as part of the multicluster setup (same issues as described above)

I understand that I can:

  • keep the configuration as-is and use Istio authorization to allow/deny access at the service level, but was hoping for the extra layer of security that controlling access at the ingressgateway would provide (otherwise presumably the isolation benefits of running multiple meshes/clusters are reduced over just running a single mesh with authorization policies)
  • do away with the shared trust altogether and configure authorization independently (e.g. via mTLS separate from that provided between Istio sidecars)
    but was really hoping for something which would allow me to keep the benefits of istio-provided mTLS whilst still having some control over inter-mesh service access.

Any thoughts or suggestions would be greatly appreciated - thanks!