istio: Missing Istio Mutual TLS between sidecars and egress gateways

Bug description

Setting Istio Mutual TLS for traffic to egress gateways was removed from istio.io by the following PRs: https://github.com/istio/istio.io/pull/6795, https://github.com/istio/istio.io/pull/6805 .

While Auto mTLS applies to traffic between sidecars, it probably cannot work for traffic between a sidecar and an egress gateway, since the gateway expects plain HTTP traffic and it has no sidecar proxy to perform mTLS for it (the gateway is itself a proxy). The users could think that thanks to auto mTLS all the traffic in their mesh is encrypted automatically, which is probably not true for the traffic between application pods and egress gateways. Consider a case when the users direct HTTP traffic through the egress gateway and the egress gateway performs TLS origination to an external service. In Istio 1.4 all the traffic was encrypted. In Istio 1.5, the traffic between the application pod and the egress gateway is probably not encrypted.

I tried to use Destination Rules with TLS Mode ISTIO_MUTUAL and SNI, and set the TLS mode of the server in the egress gateway, as in Istio 1.4, but it does not work with Istio 1.5 for some reason.

Expected behavior The traffic from the sidecars to the egress gateway must be encrypted.

Steps to reproduce the bug

Follow the instructions in https://preliminary.istio.io/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/ and verify that the traffic between Istio sidecar and the egress gateway is not encrypted.

Version (include the output of istioctl version --remote and kubectl version and helm version if you used Helm) client version: 1.5.4 control plane version: 1.5.4 data plane version: 1.5.4 (4 proxies)

How was Istio installed?

Environment where bug was observed (cloud vendor, OS, etc)

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 5
  • Comments: 26 (18 by maintainers)

Most upvoted comments

@lambdai thanks for chime in! I believe @GregHanson has tried to add the “security.istio.io/tlsMode” label to the egress gw pod. @GregHanson can you provide more details?

we don’t support egress gw using SDS today (targeted for 1.7), so it would have to use file mounted certs.