How do you do GRPC authentication in an istio mTLS setup?

Question

I have bunch of GRPC microservices and they are using self signed certs. I add authentication info to the GRPC channel which is then used to identify endpoints and provide right services.

Now I want migrate to Istio mTLS.

In phase one, I got Istio to BYPASS all GRPC connections and my services works as it is now.

In Phase two, I want to hand off TLS to Istio, but I am stuck on how to pass the authentication information to GRPC?

How do you handle auth in Istio mTLS setup?

GRPC can support other authentication mechanisms Has anyone used this to inject Istio auth info to GRPC? any other suggestions on how you implemented this in your setup

I am using go-lang just in case if this can be useful to provide any additional information.

Thanks

score 3 · Answer 1 · edited Jun 11 '21 at 09:21

3

One way of doing this is using grpc.WithInsecure(), this way you don't have to add certificates to your services, since istio-proxy containers in your pods will TLS terminate any incoming connections.

Client side:

conn, _ := grpc.Dial("localhost:50051", grpc.WithInsecure())

Server side:

s := grpc.NewServer()
lis, _ := net.Listen("tcp", "localhost:50051")

// error handling omitted
s.Serve(lis)

If you still need to use TLS for on-prem deployments, etc. you can simply use a configuration option to specify this such as:

var conn *grpc.ClientConn
var err error
// error handling omitted do not copy paste

if ( config.IstioEnabled ) {
    conn, err = grpc.Dial("localhost:50051", grpc.WithInsecure())

} else {
    creds, _ := credentials.NewClientTLSFromFile(certFile, "")
    conn, err = grpc.Dial("localhost:50051", grpc.WithTransportCredentials(creds))

}

Reference.

edited Jun 11 '21 at 09:21

Wytrzymały Wiktor

11,492
5
29
37

answered Jun 11 '21 at 06:24

Berk Soysal

2,356
1
18
17

Thanks for the quick response. When I do `WithInsecure()` I lose the capability to add credentials, which I am using to identify the endpoints (I use `WithPerRPCCredentials()`which adds auth header to requests). – RandomQuests Jun 11 '21 at 23:25
Ah I see, here is an article that may be useful: https://medium.com/utility-warehouse-technology/grpc-client-authentication-bf899ac8ada8 – Berk Soysal Jun 13 '21 at 02:00
The link hit a pay wall – RandomQuests Jun 15 '21 at 14:38

score 0 · Accepted Answer · answered Jun 15 '21 at 14:41

0

I resolved this by generating JWT token for my requests, and injected the token using an Interceptor. Took inspiration from GRPC interceptor for authorization with jwt

answered Jun 15 '21 at 14:41

RandomQuests

635
4
16

How do you do GRPC authentication in an istio mTLS setup?

2 Answers2