I need to setup mutual tls communication from kubernetes pod to external service. My system is running with istio system.
I found reference about this.
https://istio.io/docs/reference/config/networking/v1alpha3/destination-rule/#TLSSettings
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: external-mtls
spec:
host: *.external.com
trafficPolicy:
tls:
mode: MUTUAL
clientCertificate: /etc/certs/myclientcert.pem
privateKey: /etc/certs/client_private_key.pem
caCertificates: /etc/certs/rootcacerts.pem
According to this document, All I need to do is set mode MUTUAL (not ISTIO_MUTUAL) and set certificate files. As you can see, clientCertificate, privateKey, caCertificates is local file path.
I think they should be in envoy proxy's disk. But I couldn't find a way to put my certificate files into envoy proxy's volume.
How can I do that?
You can run istioctl kube-inject -f your-deployment.yaml > your-deployment-with-istio-sidecar.yaml
.
Then edit your-deployment-with-istio-sidecar.yaml
and add mounting of the certificates from some secretes. Then create the secrets from your certificates.
Alternatively, create your sidecar injection template, see https://istio.io/blog/2019/data-plane-setup/#manual-injection.
Example of creating secrets for certificates: https://istio.io/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/#redeploy-the-egress-gateway-with-the-client-certificates
Mounting volumes from secretes described here https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod
I found solution.
- create secret or config map
kubectl create secret generic my-cert --from-file=cert1.crt --from-file=cert2.crt
- annotate pod or deployment with sidecar.istio.io/userVolumeMount, sidecar.istio.io/userVolume
annotations:
sidecar.istio.io/userVolumeMount: '[{"name":"my-cert", "mountPath":"/etc/my-cert", "readonly":true}]'
sidecar.istio.io/userVolume: '[{"name":"my-cert", "secret":{"secretName":"my-cert"}}]'
Done. It's mounted to envoy proxy pod.