How can I use custom client certificate for external service with istio?

Question

I need to setup mutual tls communication from kubernetes pod to external service. My system is running with istio system.

I found reference about this.

https://istio.io/docs/reference/config/networking/v1alpha3/destination-rule/#TLSSettings

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: external-mtls
spec:
  host: *.external.com
  trafficPolicy:
    tls:
      mode: MUTUAL
      clientCertificate: /etc/certs/myclientcert.pem
      privateKey: /etc/certs/client_private_key.pem
      caCertificates: /etc/certs/rootcacerts.pem

According to this document, All I need to do is set mode MUTUAL (not ISTIO_MUTUAL) and set certificate files. As you can see, clientCertificate, privateKey, caCertificates is local file path.

I think they should be in envoy proxy's disk. But I couldn't find a way to put my certificate files into envoy proxy's volume.

How can I do that?

Answer 1

You can run istioctl kube-inject -f your-deployment.yaml > your-deployment-with-istio-sidecar.yaml.

Then edit your-deployment-with-istio-sidecar.yaml and add mounting of the certificates from some secrets. Then create the secrets from your certificates.

Alternatively, create your sidecar injection template, see https://istio.io/blog/2019/data-plane-setup/#manual-injection.

Example of creating secrets for certificates: https://istio.io/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/#redeploy-the-egress-gateway-with-the-client-certificates

Mounting volumes from secretes described here https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod

Answer 2

I found solution.

1. create secret or config map

kubectl create secret generic my-cert --from-file=cert1.crt --from-file=cert2.crt

2. annotate pod or deployment with sidecar.istio.io/userVolumeMount, sidecar.istio.io/userVolume

annotations:                                                                                       
  sidecar.istio.io/userVolumeMount: '[{"name":"my-cert", "mountPath":"/etc/my-cert", "readonly":true}]'
  sidecar.istio.io/userVolume: '[{"name":"my-cert", "secret":{"secretName":"my-cert"}}]'

Documentation on these and other annotations: https://preliminary.istio.io/docs/reference/config/annotations/

Done. It's mounted to envoy proxy pod.