K
Q

Serve RSA & EC certificate in same istio gateway

8/13/2020

Due to a mix of legacy devices and newer devices I want to serve both RSA and EC certificates for a service that is exposed via HTTPS using the same DNS name and on the same port.

I have followed the official guide for secure gateways of istio mentioned here: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-mutual-tls-ingress-gateway. Unfortunately it doesn't mention whether it's possible at all to configure multiple certificates for a single secure gateway.

According to https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl envoy supports certificate selection based on the advertised cipher suites of the client connecting to the service.

Can istio generate a envoy configuration with a DownstreamTlsContext using two certificates? If yes how would I go about configuring this in istio / the involved k8s Secrets?

I'm aware that I can passthrough the TLS traffic to a pod (running e.g. nginx) and do the TLS offloading within that pod, but as of now I'd like to keep my cluster as homogenous as possible.

-- a_curious_dev
istio
kubernetes

Similar Questions

Kubernetes: configmaps is forbidden: User "kube" cannot list configmaps in the namespace "default"
Kubernetes networking policy for service restriction
Use of Skaffold using Minikube without registry
Expose a specific port to be accessible by my outgoing ip address on kubernetes
How should I send a RPC to a Kubernetes container using gRPC?

0 Answers