Musings about Istio with mTLS

Posted on
istio kubernetes news

Musings about  Istio with mTLS

To start this off, I want to make it totally clear, that I think mTLS in Istio is a pretty awesome feature, almost a unique selling point for Istio. But it also has some pitfalls, that can be hard to spot.

And yes, this is documented, but it took me a while to understand anyway. In this article I want to provide some information about setup, but also about debugging. In the image on the left you can see what Kiali shows when mTLS is set up for a connection.

What is “mutual TLS”, mTLS anyway? TLS or Transport Layer Security makes sure that communication between services is encrypted. With the right configuration, the services are also checked that they are who they declare themselves to be with the help of certificates.

A prime example of TLS is your web browser when you call https urls. Istio can, with the help of its Citadel component, set up mTLS between any two services including the creation, distribution and checking of certificates. As Bookinfo is the Hello World of Istio, I am going to use this to explain how to set up mTLS from productpage to details service as shown in the above graph snippet.