New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enabling MTLS between Nginx Ingress Controller and Istio #24668
Comments
@robincher |
If I change proxy_set header as below, then it works. Got clue from here - #14450 (comment) current rule changed to |
Hi @satishmane thanks! You set this at the ingress controller i presumed? Or at individual ingress object. |
I am not using kubernetes nginx ingress controller or ingress object. I have nginx docker image which is deployed as pod with istio sidecar with rules defined in proxy.conf |
I have/had exactly the same problem - getting mTLS to work from ingress-nginx with Istio. I added these ingress-nginx annotations and it seems to have fixed it (my main use case is getting authorisation rules to work for segregation) nginx.ingress.kubernetes.io/service-upstream: "true" |
Seems this is resolved based on the comments above #14450 (comment). There is a feature tracked that would make this work OOTB but its not likely to be implemented soon. Tracking in #23494 |
Bug description
This is similar to Issue #18176
To illustrate what i am trying to achieve, you can check out a simple context diagram i have drawn.
As you can see, i am able to enable and successfully encrypt traffics within the mesh, but interestingly, i will get some ssl error between nginx controller to the service after enforcing mTLS STRICT mode on namespace : alpha.
This may not be technically a bug, but what i observe is that Nginx controller pod, despite being injected with Envoy's side car, is unable to forward "X-Forwarded-Client-Cert" header to the upstream service.
Is there some work around for this?
I was attempting this based on https://www.tetrate.io/blog/using-istio-with-other-ingress-proxies/ too, but i wonder if its still applicable for Istio 1.6.x and onwards.
[X] Configuration Infrastructure
[X] Docs
[ ] Installation
[X] Networking
[ ] Performance and Scalability
[X] Policies and Telemetry
[X] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
Expected behavior
Steps to reproduce the bug
Create a EKS cluster
Install Nginx-ingress controller and Istio 1.6.1
Install sleep/httpbin test services into foo namespace
Install sleep into ingress-nginx namespace
Apply Peer Authentication Policy to foo namespace and set MODE as STRICT
TCP Dump on httpbin service
kubectl exec -nfoo "$(kubectl get pod -nfoo -lapp=httpbin -ojsonpath={.items..metadata.name})" -c istio-proxy -it -- sudo tcpdump dst port 80 -A
Testing the service
a. Make a request from external browser (You may need to set up AWS ALB and nodeports based on your test env)
b. Make a request from sleep service in foo namespace to httpbin service
c. Make a request from sleep service in ingress-nginx namespace httpbin service
Version (include the output of
istioctl version --remote
andkubectl version
andhelm version
if you used Helm)Kubernetes Version : 1.16
Istio Version : 1.6.1
nginx-ingress-controller: 0.30.0
How was Istio installed?
Environment where bug was observed (cloud vendor, OS, etc)
dump.txt
The text was updated successfully, but these errors were encountered: