1

In my mesh, I am connecting to 3rd party services over TLS (specifically Strimzi's Kafka which is in the same k8 cluster, but w/o Istio sidecar). Normally I would install the certificate authority needed to the Java service, but with Istio terminating I'm not sure how to do so. If I put the public certificate in a secret, can I have a Secret Discovery Service (SDS) help manage it on the Envoy proxy (something like Secure Ingress SDS but for within the mesh)?

I've read this documentation, but it seems to be about replacing the generated certificates, which I don't want to do (I like the automatic maintenance within the cluster). https://istio.io/docs/tasks/security/plugin-ca-cert/

I have also added the 3rd party CAs as mounts to /etc as specified in this answer, but they aren't picked up by Envoy as certificates (checked via logs and istioctl tool).

How do you add additional certificate authorities to Istio Citadel so they are delivered to Envoy proxies in the security bundle?

Adam
  • 3,675
  • 8
  • 45
  • 77
  • Why are your pods communicating with each other in the mesh using TLS? You mention "istio terminating" TLS, but the pods within your mesh don't need to be communicating with TLS, unless you have some other requirement. – Stephen Greene Oct 08 '19 at 03:05
  • Yes, the pods in the mesh do need to communicate over TLS. That's exactly the requirement because they are running in a cloud environment across data centers. – Adam Oct 09 '19 at 20:15
  • Where is your 3rd party service running in? Is it in the same cluster, and within the service mesh? If it is within the mesh, can you not use your CA certs by setting `security.selfSigned=false` ? If the service is outside the mesh, I thought you could use Egress setup such as [TLS origination with gateway](https://istio.io/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/). Sorry if I'm misunderstanding your points. – Ryota Oct 11 '19 at 00:21
  • It is inside the cluster, but outside the mesh (ie. w/o sidecar). – Adam Oct 11 '19 at 14:38
  • @Ryota, selfSigned=false makes sense so it doesn't use the Istio CA, but can we also use the CA signing the 3rd party certificate? – Adam Oct 11 '19 at 14:43
  • If it's inside the cluster and you want to initiate TLS for that, are ServiceEntry and DestinationRule going to allow that usage perhaps? The [ServiceEntry](https://istio.io/docs/reference/config/networking/v1alpha3/service-entry/) doc has an example of external Mongo DB access, and that external IP can be swapped to a service inside the cluster. As to the CA, you should be able to provide your own certs (or anything 3rd party requires) and chain them, as mentioned in the doc - would that suffice your use case? – Ryota Oct 11 '19 at 14:50

0 Answers0