TLS client certificate authentication in istio

11/22/2021

I am currently trying to figure out how to enable istio to use a client certificate to authenticate to an external https service that requires client authentication. The client is a pod deployed in a kubernetes cluster that has istio installed. It currently accesses the external service using http, and cannot be changed. I know and have verified that istio can perform TLS origination so that the client can still use http to refer to the service, and istio will perform the TLS connection. But if the service also requires client certificate authentication, is there a way for me to configure istio to utilize a given certificate to do that?

I have tried by creating a ServiceEntry as described in some tutorials, as well as DestinationRules for that ServiceEntry. Is there a configuration in the DestinationRule, or elsewhere that will allow me to do that?

This is my current attempt. The hostname that requires client authentication is app.k8s.ssg-masamune.com. I have already verified that all the certificates I'm using appear to work through curl.

The certificates though are signed by a custom CA.

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: external-svc-https
spec:
  hosts:
  - api.dropboxapi.com
  - www.googleapis.com
  - developers.facebook.com
  - app.k8s.ssg-masamune.com
  - bookinfo.k8s.ssg-masamune.com
  - edition.cnn.com
  - artifactory.pds-centauri.com
  location: MESH_EXTERNAL
  ports:
  - number: 80
    name: http
    protocol: HTTP
    targetPort: 443

  resolution: DNS
---

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: app-dr
spec:
  host:  app.k8s.ssg-masamune.com
  trafficPolicy:
    portLevelSettings:
    - port:
        number: 80
      tls:
        mode: SIMPLE
        credentialName: app-secret
        insecureSkipVerify: true
        sni: app.k8s.ssg-masamune.com
        subjectAltNames:
        - app
-- Jason Hirata
istio
kubernetes
ssl

0 Answers