K
Q

How can I add the certificate of external service client (without istio side-car) to istio envoy proxy's truststore?

12/18/2019

I have a service with istio side-car and an external client without istio side-car. I want to setup mutual tls communication between them. I have created a policy for the default namespace to allow only mutual tls.

apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "default"
  namespace: "default"
spec:
  peers:
  - mtls: 
      mode: STRICT

I added the cert-chain.pem public certificate of the istio side car to the external client's truststore.

Similarly, how can I add my external client's certificate to the istio envoy proxy's truststore?

I tried adding the annotations to the side car as mentioned here, but in the handshake only the Server Hello was completed (since my external service's public certificate is not in side car of the server)

I'm new to istio and would really appreciate if anyone can help in this?

-- Ramesha Karunasena
envoyproxy
istio
kubernetes

Similar Questions

CertManager Letsencrypt CertificateRequest "failed to perform self check GET request"
Getting helm status failed for prometheus-9.5.4
Enforcing K8s networkpolicy on EKS
Is there a way to pass statefulset name into a file, which is mounted into configmap for the same statefulset?
grpc k8s listen giving "too many colons"
Fluent-bit unable to find parser event if define in config file

0 Answers