Istio can secure the communication between microservices without requiring application code changes. Security is provided by authenticating and encrypting communication paths within the cluster. This is becoming a common security and compliance requirement. Delegating communication security to Istio (as opposed to implementing TLS in each microservice), ensures that your application will be deployed with consistent and manageable security policies.
Istio Citadel is an optional part of Istio's control plane components. When enabled, it provides each Envoy sidecar proxy with a strong (cryptographic) identity, in the form of a certificate. Identity is based on the microservice's service account and is independent of its specific network location, such as cluster or current IP address. Envoys then use the certificates to identify each other and establish an authenticated and encrypted communication channel between them.
Citadel is responsible for:
-
Providing each service with an identity representing its role.
-
Providing a common trust root to allow Envoys to validate and authenticate each other.
-
Providing a key management system, automating generation, distribution, and rotation of certificates and keys.
When an application microservice connects to another microservice, the communication is redirected through the client side and server side Envoys. The end-to-end communication path is:
-
Local TCP connection (i.e.,
localhost, not reaching the "wire") between the application and Envoy (client- and server-side); -
Mutually authenticated and encrypted connection between Envoy proxies.
When Envoy proxies establish a connection, they exchange and validate certificates to confirm that each is indeed connected to a valid and expected peer. The established identities can later be used as basis for policy checks (e.g., access authorization).
- To configure mTLS, we need to modify our previous destination rules to use ISTIO_MUTUAL.
oc replace -f destination-rule-all-mtls.yaml-
Send more traffic to your application. Everything should still continue to work as expected.
-
Launch Kiali again and go to the Graph
-
Under Display, select Security. Confirm your traffic is secure.
-
Create a root certificate and private key to sign the certificate for your services:
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=istio-system.svc' -keyout example.com.key -out example.com.crtexample.com.crt and example.com.key files should be generated.
-
Create a certificate and a private key for istio-ingressgateway.istio-system.svc:
openssl req -out ingGW.csr -newkey rsa:2048 -nodes -keyout ingGW.key -subj "/CN=istio-ingressgateway.istio-system.svc" openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in ingGW.csr -out ./ingGW.crtingGW.crt, ingGW.csr, and ingGW.key files should be generated.
-
Create a Kubernetes secret to hold the server’s certificate and private key. Use kubectl to create the secret istio-ingressgateway-certs in namespace istio-system.
oc create -n istio-system secret tls istio-ingressgateway-certs --key ingGW.key --cert ingGW.crt -
Delete the ingress gateway pod and force the ingress gateway pod to restart and reload key and certificate
oc delete pod -l app=istio-ingressgateway -n istio-system
- Launch the OpenShift console and choose the istio-system project
- Under Networking -> Routes, click Create Route
- Name:
istio-ingressgateway-secure - Service:
istio-ingressgateway - Target Port
443->8443 - Check
Secure Route - TLS Termination:
Re-encrypt - Insecure Traffic:
None - Destination CA Certificate: Upload the
example.com.crtfile from the previous section - Click Create
Visit the new HTTPS route next to istio-ingressgateway-secure. Remember to add /productpage at the end of the URL!
Thank you so much for your time today! You've done an excellent job making it through the material.