How to route traffic from Anthos Service / Istio service Mesh to mutual TLS web server on IP address and Port number.

I have stumbled upon a use case where I have to route the http traffic from our service mesh and originate mutual TLS traffic to a mutual TLS web server running on a IP address & Port.

From the existing documentation it’s not obvious to figure it out, but it’s all there in bits and pieces. I am writing this up to make life easy for others who has this use case.

Step#1: Define a kuberenetes external service and end point with the IP address associated with it.

kind: Service

apiVersion: v1

metadata:

name: my-nginx

namespace: namespace

spec:

ports:

- protocol: TCP

port: 443

name: tls

— -

kind: Endpoints

apiVersion: v1

metadata:

name: my-nginx

namespace: namespace

subsets:

- addresses:

- ip: X.X.X.X

ports:

- port: 443

name: tls

Note: The HTTP traffic to this service cannot be routed like any other HTTP traffic as Istio-proxy initiates a TCP proxy connection to this IP address and port. So traditional Egress Gateway TLS origination process cannot be applied for this use case.

Step#2: Define traffic policy using Destination rule

apiVersion: networking.istio.io/v1alpha3

kind: DestinationRule

metadata:

name: originate-mtls-for-nginx

namespace: niis-dev

spec:

host: my-nginx

trafficPolicy:

loadBalancer:

simple: ROUND_ROBIN

portLevelSettings:

- port:

number: 443

tls:

mode: MUTUAL

clientCertificate: /etc/nginx-client-certs/tls.crt

privateKey: /etc/nginx-client-certs/tls.key

caCertificates: /etc/nginx-ca-certs/example.com.crt

The above rule will perform TLS origination with mutual TLS.

Note: Please make sure the client certs are mounted on the sidecar proxy of the application trying to make this connection.

No virtual services are required for this.

Software Engineer with interests in Kubernetes, Anthos, GCP