0

In my cluster I have multiple namespaces. All my 1st-party services are running in one namespace and all 3rd-party services are running in their own namespaces.

I have Istio enabled on my 1st-party namespace (let’s call it ns-1 ). Istio is not enabled for any of my 3rd-party namespaces.

I have a 3rd-party service that needs to connect to my 1st-party service. The 3rd-party service will use k8s DNS like service1.ns-1.svc.cluster.local to connect to my service. The 3rd-party service can communicate to my 1st-party service without TLS. When I enable TLS between the service it fails and I don’t know how/where to terminate the TLS?

Is it possible to define a Gateway that can route traffic between namespaces? or it is possible to route traffic between namespaces through Istio IngressGateway

RandomQuests
  • 635
  • 4
  • 16
  • Did you try setting mTLS mode to `PERMISSIVE` for this specific workload, like in the [docs](https://istio.io/latest/docs/tasks/security/authentication/authn-policy/#enable-mutual-tls-per-workload)? –  Feb 15 '22 at 10:40
  • this didn't work – RandomQuests Feb 15 '22 at 21:54

1 Answers1

1

After playing with Istio & Minikube with echo-server exams this is what I found. First let me define the namespaces and services so it will be easy to explain

  • ns-1 - namespace 1 with Istio enabled
  • ns-2 - namespace 2 without Istio
  • service-1 - service 1 in ns-1 namespace
  • service-2- service 2 in ns-2 namespace

Below are connections status between these 2 services

  • service-1 can communicate to service-2.ns-2.svc.cluster.local with no TLS
  • service-2 can communicate to service-1.ns-1.svc.cluster.local with no TLS
  • service-1 can communicate to service-2.ns-2.svc.cluster.local with TLS
  • service-2 cannot communicate to service-1.ns-1.svc.cluster.local with TLS

You may know already in 4th case above (service-2 with TLS) the TLS is not terminated by any Istio objects which is causing this to failure.

If the TLS can be terminate by a sidecar this can work. added tls to sidecar api is what I am looking for but it is not in current Istio release (1.12.2 as of this answer)

What I ended up doing?

I deployed another istio-ingressGateway with service type as ClusterIP set it to route traffic for my ports. This will be the gateway for all my 3rd-party services to reach my 1st-party services and it will terminate TLS for incoming traffic and do mTLS to services in the istio namespace (ns-1). Since this is a ClusterIP it will be visible only inside the cluster. I then configured Istio Gateway and VirtualService objects to route traffic to my services based on port numbers.

RandomQuests
  • 635
  • 4
  • 16