Is it possible to configure Istio sidecar(envoy) that runs along side with application to terminate tls as Istio Ingress Gateway?
The goal is to terminate my application TLS on outbound/inbound and encrypt with Istio mTLS when connecting to other sidecar and encrypt it back with my certificates before forwarding the traffic to upstream.
If so, please refer to some documentation.
Related
I have application in container , which runs on protocol HTTP with port 1429. Conainer is deployed in AWS EKS. I have conferred the ALB with certificate. Listener port is HTTPS and port 443.
I need to terminate TLS at ALB and forward request http to 1429.
I configured ingress target port as 1429.
I am getting target TLS Negotiation Error in cloud watch metrics.
Any suggestions on this.
I would double check that the target group protocol is set to HTTP. Seeing as your application is deployed to EKS you could port-forward to the port in question and make a HTTP curl request to ensure that no TLS errors are thrown and that the request is handled as expected.
I'm installed ASM Managed in a GKE Cluster (Autopilot and Standard) and I'm using a simple Ingress Gateway an VirtualService to access to a HTTPS service. In my local environment (Minikube) using Istio, all communication between my Services is catched by Envoy Proxy and shows in its logs, but the same scenario in GCP I cannot get any log, last Envoy message is "Envoy proxy is ready". Functionality and communication work fine.
In my GKE I only enable ASM Mesh checkbox when clusters were created.
In my cluster I have multiple namespaces. All my 1st-party services are running in one namespace and all 3rd-party services are running in their own namespaces.
I have Istio enabled on my 1st-party namespace (let’s call it ns-1 ). Istio is not enabled for any of my 3rd-party namespaces.
I have a 3rd-party service that needs to connect to my 1st-party service. The 3rd-party service will use k8s DNS like service1.ns-1.svc.cluster.local to connect to my service. The 3rd-party service can communicate to my 1st-party service without TLS. When I enable TLS between the service it fails and I don’t know how/where to terminate the TLS?
Is it possible to define a Gateway that can route traffic between namespaces? or it is possible to route traffic between namespaces through Istio IngressGateway
After playing with Istio & Minikube with echo-server exams this is what I found. First let me define the namespaces and services so it will be easy to explain
ns-1 - namespace 1 with Istio enabled
ns-2 - namespace 2 without Istio
service-1 - service 1 in ns-1 namespace
service-2- service 2 in ns-2 namespace
Below are connections status between these 2 services
service-1 can communicate to service-2.ns-2.svc.cluster.local with no TLS
service-2 can communicate to service-1.ns-1.svc.cluster.local with no TLS
service-1 can communicate to service-2.ns-2.svc.cluster.local with TLS
service-2 cannot communicate to service-1.ns-1.svc.cluster.local with TLS
You may know already in 4th case above (service-2 with TLS) the TLS is not terminated by any Istio objects which is causing this to failure.
If the TLS can be terminate by a sidecar this can work. added tls to sidecar api is what I am looking for but it is not in current Istio release (1.12.2 as of this answer)
What I ended up doing?
I deployed another istio-ingressGateway with service type as ClusterIP set it to route traffic for my ports. This will be the gateway for all my 3rd-party services to reach my 1st-party services and it will terminate TLS for incoming traffic and do mTLS to services in the istio namespace (ns-1). Since this is a ClusterIP it will be visible only inside the cluster. I then configured Istio Gateway and VirtualService objects to route traffic to my services based on port numbers.
I'm running Istio Ingress Gateway in a GKE cluster. The Service runs with a NodePort. I'd like to connect it to a Google backend service. However we need to have an health check that must run against Istio. Do you know if Istio expose any HTTP endpoint to run health check and verify its status?
Per this installation guide, "Istio requires no changes to the application itself. Note that the application must use HTTP/1.1 or HTTP/2.0 protocol for all its HTTP traffic because the Envoy proxy doesn't support HTTP/1.0: it relies on headers that aren't present in HTTP/1.0 for routing."
The healthcheck doesn't necessarily run against Istio itself, but against the whole stack behind the IP addresses you configured for the load balancer backend service. It simply requires a 200 response on / when invoked with no host name.
You can configure this by installing a small service like httpbin as the default path for your gateway.
You might also consider changing your Service to a LoadBalancer type, annotated to be internal to your network (no public IP). This will generate a Backend Service, complete with healthcheck, which you can borrow for your other load balancer. This method has worked for me with nesting load balancers (to migrate load) but not for a proxy like Google's IAP.
I am little confused about the mTLS flow of istio. In the bookinginfo example, I see that services are doing calls over http instead of https. If there is mTLS between services then service make http calls?
Can it be that HTTP from service goes to envoy proxy which converts it into https? But, then in envoy-proxy logs of server, I see http in logs.
Can any body please explain how this works?
Regards
HTTP from service goes to envoy proxy which converts it into https
Correct, but only if you enable this feature in Istio. To enable it, see the installation step 5 in https://istio.io/docs/setup/kubernetes/quick-start.html#installation-steps:
Install Istio and enable mutual TLS authentication between sidecars:
kubectl apply -f install/kubernetes/istio-auth.yaml
You may also want to read about testing this feature: https://istio.io/docs/tasks/security/mutual-tls.html .