This topic explains how to enable one-way TLS and mTLS on the Istio ingress.
Configuring one-way TLS
Use one-way TLS to secure API proxy endpoints on the Istio ingress. To enable one-way TLS, you configure the ingress with TLS cert/key pairs or with a Kubernetes Secret, as explained in the following options.
Option 1: key/cert pair
Provide SSL cert and key files in the virtualhosts
property in your overrides file:
virtualhosts: - name: $ENVIRONMENT_GROUP_NAME sslCertPath: "$CERT_FILE" sslKeyPath: "$KEY_FILE"
Where $ENVIRONMENT_GROUP_NAME is the name of an environment group with corresponding host aliases, and $CERT_FILE and $KEY_FILE are TLS key and certificate files. See Create TLS certificates.
Option 2: Kubernetes Secret
Create a Kubernetes Secret in the istio-system
namespace and add the Secret name to your overrides file:
- Create the Secret:
kubectl create -n istio-system secret generic $SECRET_NAME \ --from-file=key=$KEY_FILE \ --from-file=cert=$CERT_FILE
- Configure the
virtualhosts
property in your overrides file:virtualhosts: - name: $ENVIRONMENT_GROUP_NAME tlsMode: SIMPLE # Note: SIMPLE is the default, so it is optional. sslSecret: $SECRET_NAME
Configuring mTLS
Instead of one-way TLS, you can configure mTLS on the Istio ingress. There are two options for configuring mTLS, as explained below.
Option 1: key/cert pair and CA file
Provide a Certificate Authority (CA) certificate with SSL cert and key files in the
virtualhosts
property in your overrides file:
virtualhosts: - name: $ENVIRONMENT_GROUP_NAME tlsMode: MUTUAL caCertPath: "$CA_FILE" sslCertPath: "$CERT_FILE" sslKeyPath: "$KEY_FILE"
Where $ENVIRONMENT_GROUP_NAME is the name of an environment group with corresponding host aliases, $CA_FILE is an authorized certificate, and $CERT_FILE and $KEY_FILE are TLS key and certificate files. See Create TLS certificates.
Option 2: Kubernetes Secrets
Create two Kubernetes secrets in theistio-system
namespace. The first secret is for the SSL cert/key pair and the second is for the CA.
Then, add them to your overrides file.
- Create two Kubernetes secrets in the
istio-system
namespace:kubectl create -n istio-system secret generic $SECRET_NAME \ --from-file=key=$KEY_FILE \ --from-file=cert=$CERT_FILE
- Create a secret for the CA:
kubectl create -n istio-system secret generic $SECRET_NAME-cacert \ --from-file=cacert=$CA_FILE
- Configure the
virtualhosts
property in your overrides file:virtualhosts: - name: $ENVIRONMENT_GROUP_NAME tlsMode: MUTUAL # Note: Be sure to specify MUTUAL sslSecret: $SECRET_NAME