Setting Up auto mTLS with ingress gateway without m or TLS

Hi ,
I have been using Istio on production since more than 1.5 years now. So far so good.
Our architecture is to let user facing application come in through ingress gateway to an app lets call it main app, and then any second tier service(lets call it secondary app1 and secondary app2) gets called from this main app. Since main app is user facing i cannot mandate mtls . Also we are doing TLS offloading of main app on AWS ELB so the ingress gateway is configured to be accept http (not https )
So i would like to have all secondary applications mandate mtls and any traffic coming from ingress gateway talk to secondary app via mtls too.

I looked at auto mTLS and it looks promising. When i configured auto and made the Policy for secondary app namespace STRICT it is working as expected as far as mutual of the mtls is concerned. Meaning when i try to access from non istio container it fails but when i access from istio container it works. It also works from ingress gateway.

My question now is all examples in auto mTLS use http to show that it works. When i explicitly use https it fails. Is this because internally it uses https and i dont have to worry about it ?

How do i test if it is using TLS ? what if i am missing some config and it is not encrypting

By the way i am using istio 1.4.7

cc @incfly, @diemtvu

Sorry i was wrong on the ingress gateway part. It is still not working when i have auto mtls .

meaning if the ingress gateway handles tls off loading it works but when ELB handles tls off loading it doesnt work.

So this ingress works
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: ABCapigateway
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:

  • port:
    number: 80
    name: http
    protocol: HTTP
    tls:
    httpsRedirect: true
    hosts:
    • “*”
  • port:
    number: 443
    name: https
    protocol: HTTPS
    tls:
    #mode should be MUTUAL if we need mtls. mode should be SIMPLE if we just need server side tls

mode: MUTUAL

  mode: SIMPLE
  serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
  privateKey: /etc/istio/ingressgateway-certs/tls.key

caCertificates: /etc/istio/ingressgateway-ca-certs/ca-chain.cert.pem

hosts:
- "*"

and this gateway stopped working when i switched on auto on mtls

apiVersion: networking.istio.io/v1alpha3

kind: Gateway
metadata:
name: XYZ-pcapapigateway
spec:
selector:
istio: XYZ-ingressgateway
servers:

  • port:
    number: 80
    name: http
    protocol: HTTP
    hosts:
    • “*”

i am looking at https://istio.io/docs/reference/config/networking/gateway/#Server-TLSOptions-TLSmode
none of the modes PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL are applicable if i am doing tls termination at the ELB and from elb sending http(not https) to the ingress gateway. So not sure how to make this work.
This is a very normal usecase where end user application which is exposed on internet and needs a public cert terminated at ELB. So not sure what i am missing here

never mind this is what you need to do on the destinationrule on ingress (set mode: ISTIO_MUTUAL) Following example is for helm chart yaml.

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: {{ include “my-service.fullname” . }}
namespace: agent-app
spec:
host: {{ include “my-service.fullname” . }}
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
loadBalancer:
consistentHash:
httpCookie:
name: {{ include “my-service.fullname” . }}-sticky
path: /
ttl: 0s

I was trying to digest your question but failed to follow through. It will be better if it’s more focused. To recap, you see request fail between ingress gateway and workloads within the cluster when turning on auto mTLS? And it is not failing when when you expose the service as HTTP, only failing when configure HTTPS on gateway with a key/cert specified?

not sure if you followed but the issue is resolved and i have posted the solution too