I want to set up an outbound connection like below
The external service requires mTLS, but the client should not worry about it. I want the istio’s envoy proxy to take care of automatically upgrading the connection from HTTP to HTTPS.
client (http) -----> envoy proxy (sidecar upgrades to mTLS) -----> external service (outside mesh)
Documents suggest that first I have to create a Service Entry for the external service and then create Virtual Service, Destination rules. Unfortunately, I am not able to put everything together and have a few questions:
- What the protocol of the service entry should be? Is it HTTP or HTTPS? The client is going to make an HTTP call, but the actual service itself is HTTPS and hence the confusion.
- Client certs – can I mount it in the sidecar proxy container using Istio’s annotations or do I need to deploy an egress proxy container for this use case? Can it be achieved without an egress proxy container?
- Will the outbound connections get double encrypted? since all the connections in the mesh are secured by Istio by default.
- How does the Istio know where to look for the certs (I mean in which envoy proxy container) when the certs path are defined in the destination rule. Especially when the egress gateway also exists in the path.
Any clarification on these would be really helpful.
Thanks