-1

I followed the setup in below link to enable secure connection to ingress gateway

https://istio.io/docs/tasks/traffic-management/ingress/secure-ingress-sds/

I can send request and get the response from internal service, but is there a way to access certificate common name in internal service?

Internal service is running the following flask application.

from flask import Flask, request
app = Flask(__name__)

@app.route("/first")
def index():
    return str(request.headers)

if __name__ == "__main__":
   app.run(debug=True, host='0.0.0.0')

And it is giving the following output

Accept: */*
X-Forwarded-For: 10.32.0.5
X-Envoy-Decorator-Operation: flasksvc.default.svc.cluster.local:5000/first
X-Request-Id: f5f4d99f-0fe6-450b-a836-f4f228a5908d
X-B3-Traceid: a057039d68a629d516a7e36660197be8
X-Istio-Attributes: Ck8KCnNvdXJjZS51a....
Host: flaskapp.example.com
X-B3-Spanid: 16a7e36660197be8
X-Envoy-Internal: true
User-Agent: curl/7.29.0
Content-Length: 0
X-B3-Sampled: 0
X-Forwarded-Proto: https

I want to see certificate common name in response, could you please help me how to do it with istio 1.4.0 version

Kalyan Kumar
  • 399
  • 3
  • 14

1 Answers1

2

Well what you need to do is configure istio ingress gateway to perform SNI passthrough without terminating the TLS. Check this guide on how to do it.

Arghya Sadhu
  • 41,002
  • 9
  • 78
  • 107
  • I am getting connection refused after enabling passthrugh, and also is it mandatory to use nginx? – Kalyan Kumar Jan 03 '20 at 07:50
  • Nginx is just a sample pod used in this guide...in reality you should replace it with your own pod – Arghya Sadhu Jan 03 '20 at 10:51
  • It did not display certificate common name in output – Kalyan Kumar Jan 04 '20 at 09:13
  • You only have the pass thought sample deployed in the cluster right or is there TLS termination example as well? check this issue https://github.com/istio/istio/issues/11786 – Arghya Sadhu Jan 04 '20 at 09:37
  • That output..how are you getting it? – Arghya Sadhu Jan 04 '20 at 09:46
  • X-Forwarded-Client-Cert: By=spiffe://cluster.local/ns/default/sa/default;Hash=f01d1affa44958806225a0316afc3112789256a2084f0ecd1a84d765c0199cf3;Subject="";URI=spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account – Kalyan Kumar Jan 05 '20 at 02:19
  • I wrote a python flask application to print headers, in above comment, subject is empty – Kalyan Kumar Jan 05 '20 at 02:20
  • The above output you were getting this already before or getting it with the SNI passthrough? Also mutual TLS enabled globally? and You have DestinationRule infront of your app with tls_mode set to istio_mutual – Arghya Sadhu Jan 05 '20 at 10:50
  • SNI passthrough is configured at gateway level, this above output is printed in python file which is in application container which will be after gateway only. I configured mutual TLS globally and destination rule is also configured. When I send request to ingress gateway, it is calling my application with ingress service account it seems. – Kalyan Kumar Jan 05 '20 at 17:36
  • I am still getting empty subject even after trying in different ways, could you please check the link https://github.com/istio/istio/issues/19933 and let me know what I am doing wrong. – Kalyan Kumar Jan 07 '20 at 08:59
  • This answer is indeed correct solution, @KalyanKumar there might be something wrong with Your deployment of Your application. You can check if the protocol is correct and port is named like in this SO [post](https://stackoverflow.com/questions/59560394/how-to-terminate-ssl-at-ingress-gateway-in-istio/59578064#59578064). – Piotr Malec Jan 21 '20 at 12:17
  • It did not work with SNI passthrough, I did not add caCertificates option to gateway, so it caused this issue. Please check my github link github.com/istio/istio/issues/19933 – Kalyan Kumar Jan 21 '20 at 16:03