How to route traffic from Anthos Service / Istio service Mesh to mutual TLS web server on IP address and Port number.

I have stumbled upon a use case where I have to route the http traffic from our service mesh and originate mutual TLS traffic to a mutual TLS web server running on a IP address & Port.

From the existing documentation it’s not obvious to figure it out, but it’s all there in bits and pieces. I am writing this up to make life easy for others who has this use case.

Step#1: Define a kuberenetes external service and end point with the IP address associated with it.

kind: Service

apiVersion: v1

metadata:

name: my-nginx

namespace: namespace

spec:

ports:

- protocol: TCP

port: 443

name: tls

— -

kind: Endpoints

apiVersion: v1

metadata:

name: my-nginx

namespace: namespace

subsets:

- addresses:

- ip: X.X.X.X

ports:

- port: 443

name: tls

Note: The HTTP traffic to this service cannot be routed like any other HTTP traffic as Istio-proxy initiates a TCP proxy connection to this IP address and port. So traditional Egress Gateway TLS origination process cannot be applied for this use case.

Step#2: Define traffic policy using Destination rule

apiVersion: networking.istio.io/v1alpha3

kind: DestinationRule

metadata:

name: originate-mtls-for-nginx

namespace: niis-dev

spec:

host: my-nginx

trafficPolicy:

loadBalancer:

simple: ROUND_ROBIN

portLevelSettings:

- port:

number: 443

tls:

mode: MUTUAL

clientCertificate: /etc/nginx-client-certs/tls.crt

privateKey: /etc/nginx-client-certs/tls.key

caCertificates: /etc/nginx-ca-certs/example.com.crt

The above rule will perform TLS origination with mutual TLS.

Note: Please make sure the client certs are mounted on the sidecar proxy of the application trying to make this connection.

No virtual services are required for this.