How can I add the certificate of external service client (without istio side-car) to istio envoy proxy's truststore?

12/18/2019

I have a service with istio side-car and an external client without istio side-car. I want to setup mutual tls communication between them. I have created a policy for the default namespace to allow only mutual tls.

apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "default"
  namespace: "default"
spec:
  peers:
  - mtls: 
      mode: STRICT

I added the cert-chain.pem public certificate of the istio side car to the external client's truststore.

Similarly, how can I add my external client's certificate to the istio envoy proxy's truststore?

I tried adding the annotations to the side car as mentioned here, but in the handshake only the Server Hello was completed (since my external service's public certificate is not in side car of the server)

I'm new to istio and would really appreciate if anyone can help in this?

-- Ramesha Karunasena
envoyproxy
istio
kubernetes

0 Answers