1

I am writing a service to coordinate Istio control planes in a "replicated control planes" configuration. I have managed to programmatically create ServiceEntry objects that correctly route between clusters – multicluster routing works great! Things even fail over correctly between clusters without any extra config. An example of a service entry that my app creates looks like this:

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: httpbin-no-proxy.httpbin
  namespace: my-app
spec:
  addresses:
  - 245.0.0.1
  endpoints:
  # Some remote cluster ingress
  - address: 172.18.0.3
    labels:
      app: httpbin
      my-app/managed: cluster-1
      identity: httpbin
    ports:
      http: 15443
  - address: httpbin-no-proxy.httpbin.svc.cluster.local
    labels:
      app: httpbin-no-proxy
      my-app/managed: cluster-2
      identity: httpbin
    ports:
      http: 8000
  hosts:
  - httpbin-no-proxy.httpbin.global
  location: MESH_INTERNAL
  ports:
  - name: http
    number: 8000
    protocol: http
  resolution: DNS

However... In order to make it easier to onboard services, I would like to enable this functionality for service pairs where the client/server are in different clusters AND the server does not yet have istio injected.

This doesn't work out of the box (either in-cluster or out-of-cluster) because, with the requisite ServiceEntry in place in the server cluster, Istio does not terminate mTLS at the ingress gateway – the service receives encrypted traffic!

Within my cluster I am able to configure termination for sidecars using a destinationrule, like so:

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: httpbin-no-proxy.httpbin
spec:
  host: httpbin-no-proxy.httpbin.global
  trafficPolicy:
    outlierDetection:
      baseEjectionTime: 120s
      consecutiveErrors: 10
      interval: 5s
      minHealthPercent: 49
    tls:
      mode: DISABLE

This makes the .global work internally within the server cluster – traffic from pods with a sidecar in the server cluster is no longer encrypted when it reaches the server. But this doesn't take effect when traversing the ingress gateway, even if I create the DestinationRule in the istio-system or istio-config namespaces.

What makes the ingress proxy instance special, and how do I get an ingress gateway to connect to an upstream (server) in plaintext?

pnovotnak
  • 260
  • 4
  • 11
  • Have you tried with permissive tls mode? When PERMISSIVE mode is enabled, a service can accept both plain text and mutual TLS traffic – Jakub Jan 28 '21 at 11:51

0 Answers0