0

I am a newbie with Istion. Recently I read from other Stack overflow Posts that communication between Istio Side car and the main container is not encrypted. However in a scenario where, I am performing a TLS passthrough in Istio at the IngressGateway level and also enforcing mTLS within my Istio Mesh, what happens to the TLS traffic that reaches my Application's side car proxy? Does the Proxy (always) strips off the TLS and passes non-SSL traffic to my backend kubernetes Service? or does my Proxy pass the TLS traffic as-is to the Application conatiners? (if So, this is contradicting what I learned)

  1. As traffic b/w Istio Side car and the main container is not encrypted, does this mean I have to always expose a non-SSL port as my container port within my k8s service definition file while using an Istio service mesh?

Thanks

I haven't tried any POC yet as I am still confused about these constructs.

santosh2000
  • 1
  • 1
  • I don't have a definitive answer, but here is my understanding of it at least: with passthrough the original (encrypted) traffic is allowed to pass through the gateway without decrypting it. mTLS will just add additional encryption on top of that, which the sidecar will decrypt. So the request that hits your application container will be the originally encrypted traffic that the Gateway received. – Karl Jul 10 '23 at 20:36

1 Answers1

0

If you would like to use TLS Passthrough then its application container responsibility to handle the TLS. So in this case in istio gateway you need to mention below

servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: PASSTHROUGH

Also the in virtual service and service definition it has to be HTTPS details. Please refer istio documentation for detailed explanation.

In case of TLS termination please refer following istio documentation. Additionally PeerAuthentication, DestinationRule resources along with gateway and virtual service resources has to be created.

Nataraj Medayhal
  • 980
  • 1
  • 2
  • 12
  • what if protocol is tcp & the gateway doesn't have any mTLS defined? my requirement is to connect to mongo db (stateful set) via ingress gateway. the default mTLS in the istio-system is strict set. – user2700022 Aug 18 '23 at 08:13
  • 1
    In the above condition in the application gateway definition you can declare mode: simple and attach an secret. so in this case traffic flow will be "External traffic" <---mTLS--> istio-ingress gateway<--mTLS-->istio-proxy inside pod (sidecar)<--pain text--> Applicaiton Container. depending on the requirement you can use ISTIO_MUTUAL / MUTUAL as well. – Nataraj Medayhal Aug 18 '23 at 08:33