Hi
We have 2 clusters each having their own independent CA(multiple meshes). We are looking at a way to acheive end to end mTLS trust across clusters so we can propagate clientID(spiffeID) and therefore apply Authn/Authz policies.
This document https://istio.io/docs/ops/deployment/deployment-models/#trust-between-meshes
says we can exchange trustBundle manually across clusters so we can trust and do end to end mTLS.
Haven’t found any examples/documentation regarding how to acheive this.
@leitang Could you take a look?
AFAIK, https://istio.io does not have an example or a guide for exchanging trust bundles manually across clusters. You may create a feature request on https://github.com/istio/istio.io/issues to request for adding such documentation to https://istio.io.
I have raised an issue for the same: https://github.com/istio/istio/issues/23985
Since this would take sometime, do you have any pointers on how to acheive the same.
This document is mostly about using an existing intermediate CA, but it sort of works to describe plugging in multiple root certificates as well: https://istio.io/latest/docs/tasks/security/cert-management/plugin-ca-cert/. If you include multiple concatenated root certificates in root-cert.pem, these will be distributed as trusted root certificates across a cluster.
Note: this assumes they are in the same logical trust domain. If you want to trust one root certificate differently than the other, you’ll need to consider either terminating TLS at gateways and explicitly providing certificates to your gateways or using constraints like name constraints on the signing certificate itself to prevent impersonation of a service in one mesh by a service in another mesh.