How to consume Istio-based Service that enables `mtls`?

8/14/2018

Currently, I want to introduce istio as our service-mesh framework for our microservices. I have played it sometime (< 1 week), and my understanding is that Istio really provides an easy way to secure service to service communication. Much (or all?) of Istio docs/article provides an example how client and server who have istio-proxy (envoy) installed as a sidecar container, can establish secure communication using mtls method.

However, since our existing client (which I don't have any control) who consume our service (which will be migrated to use istio) doesn't have istio, I still don't understand it well how we should do it better.

  • Is there any tutorial or example that provides my use case better?
  • How can the non-istio-based client use mtls for consuming our istio-based service? Think about using basic curl command to simulate such thing.
  • Also, I am thinking of distributing a specific service account (kubernetes, gcp iam service account, etc) to the client to limit the client's privilege when calling our service. I have many questions on how these things: gcp iam service account, istio, rbac, mtls, jwt token, etc contributes to securing our service API?

Any advice?

-- Agung Pratama
google-cloud-platform
istio
jwt
kubernetes

1 Answer

8/16/2018

You want to add a third party to your Istio mesh outside of your network via SSL over public internet?

I dont think Istio is really meant for federating external services but you could just have an istio ingress gateway proxy sat at the edge of your network for routing into and back out of your application.

https://istio.io/docs/tasks/traffic-management/ingress/

If you're building microservices then surely you have an endpoint or gateway, that seems more sensible to me, try Apigee or something.

-- Dan
Source: StackOverflow