[Ingress] Support for Mutual TLS with external clients

[ldemailly]

@schmitzhermes commented on Thu May 25 2017

It would be great to support mutual TLS with Ingress clients.
A working example can be found in nginx ingress controller: https://github.com/kubernetes/ingress/blob/master/controllers/nginx/configuration.md#certificate-authentication

This should not be confused with mutual TLS inside your cluster (i.e. service-to-service communication) -> that's what https://github.com/istio/auth is for.

---

@rshriram commented on Mon May 29 2017

Hi,
Can you please post this issue on istio/issues repo? We are keeping track of all bugs and feature requests in that repo. The issues here are for our internal tracking purposes.

[ankurcha]

Any update on this?

[AssafShaikevich]

Hi , We also would like this feature , any update?

[ldemailly]

mesh expansion is an example - basically you just need a cert signed by the istio CA

cc @wattli

[AssafShaikevich]

@ldemailly mesh expansion examples seems to be focusing on external vms , but will it work with external kubernetes cluster ?

[ldemailly]

multiple clusters support is in the works for 1.0
you can probably achieve it in the same way as vm expension in the meantime

[louiscryan]

You can also use mTLS with non Istio certs using the new Gateway API. Please test this behavior with the 0.8 APIs and re-open this issue if that doesn't meet your needs.

See https://istio.io/docs/reference/config/istio.networking.v1alpha3/#Gateway