We have a Kubernetes cluster with Istio 1.0 (with Envoy proxy) and some other stuff. We use Istio's Gateway to verify client certificates. We would like to pass client certificate's subject to the internal services.
Here in Envoy's documentation I have found the following configuration option: forward_client_cert which enables passing the subject among other information in header x-forwarded-client-cert, although I could not find the way to enable it in Istio.
Has anyone tried to do something similar and succeeded? Or Istio is not supporting that?
This is a late answer, but forwarding client cert details is supported in the 1.1.0 release. This is the default behavior of an https gateway, however, you need to have mutual TLS enabled globally for this to work. To do so apply the following MeshPolicy object:
apiVersion: "authentication.istio.io/v1alpha1"
kind: "MeshPolicy"
metadata:
name: "default"
spec:
peers:
- mtls: {}Once this is applied, https calls to ingress will forward an X-Forwarded-Client-Cert header to the server.
Keep in mind however, once global mtls is enabled, service to service calls within the cluster must also use tls. This can be done by creating a DestinationRule for each service with the mode set to ISTIO_MUTUAL (or MUTUAL if you want to use your own client certificates instead of those generated by Citadel):
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: myApp
namespace: default
spec:
host: myApp
trafficPolicy:
tls:
mode: ISTIO_MUTUAL