0

I understand that I can configure Istio for its Citadel component to use a root x509 certificate + private key that I provide. Can I extend this system in a way that I also use the same root to issue certificates to legacy workloads running in the same k8s cluster, and then configure a destination rule to access these workloads from inside the mesh? Something like:

---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: originate-mtls
spec:
  host: mymtls-app.legacy.svc.cluster.local
  trafficPolicy:
    portLevelSettings:
    - port:
        number: 8443
      tls:
        mode: ISTIO_MUTUAL
        sni: mymtls-app.legacy.svc.cluster.local

Can the above work? Do I need any additional configuration besides the above? I may not be in a position to run spiffe / spire to manage the certificates for workloads outside the mesh - which puts a spiffe-federation solution like this somewhat out of reach for me. But this also doesn't seem like a fully supported mechanism in any case.

I have been able to configure mTLS using a separate certificate hierarchy which I have to inject via secrets and mount into the pods / sidecars in question (illustrated here).

CppNoob
  • 2,322
  • 1
  • 24
  • 35
  • If you are using your own certificates then you need to use mode: MUTUAL and other attributes https://istio.io/latest/docs/reference/config/networking/destination-rule/ – Nataraj Medayhal Jul 08 '22 at 13:49
  • @NatarajMedayhal, what does the DestinationRule documentation link add to the discussion? Could you point out which specific section or line is relevant to the question above? – CppNoob Jul 08 '22 at 20:16
  • If you want to use own certificate and private keys instead of citadel then you need to use mode: Mutual. The link has attributes which needs to be used. If mode is ISTIO_MUTUAL it will automatically generates those. – Nataraj Medayhal Jul 09 '22 at 03:45

0 Answers0