How to route traffic from Anthos Service / Istio service Mesh to mutual TLS web server on IP address and Port number.
I have stumbled upon a use case where I have to route the http traffic from our service mesh and originate mutual TLS traffic to a mutual TLS web server running on a IP address & Port.
From the existing documentation it’s not obvious to figure it out, but it’s all there in bits and pieces. I am writing this up to make life easy for others who has this use case.
Step#1: Define a kuberenetes external service and end point with the IP address associated with it.
kind: Service
apiVersion: v1
metadata:
name: my-nginx
namespace: namespace
spec:
ports:
- protocol: TCP
port: 443
name: tls
— -
kind: Endpoints
apiVersion: v1
metadata:
name: my-nginx
namespace: namespace
subsets:
- addresses:
- ip: X.X.X.X
ports:
- port: 443
name: tls
Note: The HTTP traffic to this service cannot be routed like any other HTTP traffic as Istio-proxy initiates a TCP proxy connection to this IP address and port. So traditional Egress Gateway TLS origination process cannot be applied for this use case.
Step#2: Define traffic policy using Destination rule
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: originate-mtls-for-nginx
namespace: niis-dev
spec:
host: my-nginx
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 443
tls:
mode: MUTUAL
clientCertificate: /etc/nginx-client-certs/tls.crt
privateKey: /etc/nginx-client-certs/tls.key
caCertificates: /etc/nginx-ca-certs/example.com.crt
The above rule will perform TLS origination with mutual TLS.
Note: Please make sure the client certs are mounted on the sidecar proxy of the application trying to make this connection.
No virtual services are required for this.