This is a demo of mTLS origination at an Istio egress gateway. Access to the server is authorized only if the client presents a certificate that it trusts. The client is a simple proxy that will send a request to the server and return its response.
The following instructions describe how to provision this demo in an OpenShift cluster.
- Install the Red Hat OpenShift Certificate Manager operator.
- Provision the certificate issuers
oc apply -f cert-manager/ -n openshift-cert-manager
oc new-project server
oc apply -f server/manifests/ -n server
This is an example of traditional client identity instrumentation provided as a comparison. A keystore secret is mounted directly to the application pod and consumed by the application to secure the request.
oc new-project client
oc apply -f client/manifests/ -n client
- Install Elasticsearch operator all namespaces
- Install OpenShift Distributed Tracing operator all namespaces
- Install Kiali operator all namespaces
- Install OpenShift Service Mesh operator all namespaces
- Create a namespace for the service mesh control plane
- Provision a control plane (see below)
oc new-project istio-system
oc apply -f istio-system/ServiceMeshControlPlane_basic.yaml -n istio-system
oc new-project client-mesh
oc apply -f istio-system/ServiceMeshMemberRoll_default.yaml -n istio-system
oc apply -f istio-system/Secret_client-tls.yaml -f istio-system/Certificate_client-tls.yaml -n istio-system
Substitute your cluster's wildcard domain into the Gateway and VirtualService for the client UI in order to support ingress to the client endpoint for demonstration.
oc apply -f client-mesh/manifests/ -n client-mesh
JavaScript examples: Matteo Mattei