How can I use custom client certificate for external service with istio?

Question

I need to setup mutual tls communication from kubernetes pod to external service. My system is running with istio system.

I found reference about this.

https

Answer 1

I found solution.

1. create secret or config map

kubectl create secret generic my-cert --from-file=cert1.crt --from-file=cert2.crt

2. annotate pod or deployment with sidecar.istio.io/userVolumeMount, sidecar.istio.io/userVolume

annotations:                                                                                       
  sidecar.istio.io/userVolumeMount: '[{"name":"my-cert", "mountPath":"/etc/my-cert", "readonly":true}]'
  sidecar.istio.io/userVolume: '[{"name":"my-cert", "secret":{"secretName":"my-cert"}}]'

Documentation on these and other annotations: https://preliminary.istio.io/docs/reference/config/annotations/

Done. It's mounted to envoy proxy pod.