Sending HTTP request after enabling mTLS between Services

1

Hi, I have a few beginner questions regarding mTLS.
I have two services: hello-world and service1.
My Python application in hello-world will make a GET request to my Python application in service1 when I visit the /hello-service1 route.
I have enabled mTLS for service1.
My questions are:

  1. When I send my GET request from hello-world to service1, http://service1.service1.svc.cluster.local:PORT_NUMBER works but https://service1.service1.svc.cluster.local:PORT_NUMBER doesn’t. I have read this page.
    Does this mean that when I send a HTTP request, the Envoy proxy in hello-world will handle mTLS with the Envoy proxy in service1, thus the right way to call service1 would be by http instead of https?

  2. When I enable mTLS for service1 only, does this mean that if service1 calls hello-world, it will be without mTLS?

2

Hi,

yes and yes.

The core gain of Istio mTLS is that applications do not need to use https and continue to work with http. Upgrade to mTLS is done on istio-proxy side.

The second question depends on your Istio installation parameters. What kind of mTLS policy you used?

3

Thanks for the reply. My policy is:

apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "service1-mtls-policy"
  namespace: service1
spec:
  targets: 
  - name: service1
  peers:
  - mtls: {}
    mode: STRICT
4

I’m not sure, but it’s it correct? Those curly braces and indentation of mode?

5

I could run kubectl apply -f on that policy and checked using istioctl authn tls-check. It was indeed in STRICT mode.
I’m not sure, is that enough to verify that requests between Envoy proxies are sent via mTLS?