Enabling an Ingress gateway for httpbin using mutual TLS

In SIMPLE TLS, the client checks the identity of the server, but in mutual TLS, the server also checks the identity of the client. The mutual TLS adds another layer in which the client sends its X.509 certificate to a server to verify the identity of the client.

Mutual TLS is useful for business-to-business applications that require strict access control. Let's get started:

  1. Create a client certificate and key using RSA that will be used by the client (curl, in this case) to provide client authentication to the Istio Ingress gateway:
$ step certificate create httpbin.istio.io client.crt client.key --profile leaf --ca istio.crt --ca-key istio.key --no-password --insecure --kty RSA --size 2048
Please enter the password to decrypt istio.key: password
# Provide intermediate CA password

Your certificate has been saved in client.crt.
Your private key has been saved in client.key.
  1. Create a chain of certificates from root-ca and intermediate authority:
$ step certificate bundle root-ca.crt istio.crt ca-chain.crt
Your certificate has been saved in ca-chain.crt.
  1. Recreate the httpbin-keys secret using one additional parameter called cacert:
$ kubectl -n istio-system delete secret httpbin-keys

$ kubectl -n istio-system create secret generic httpbin-keys --from-file=key=$HOME/step/httpbin.key --from-file=cert=$HOME/step/httpbin.crt --from-file=cacert=$HOME/step/ca-chain.crt 
secret/httpbin-keys created
  1. To enable mutual TLS, we need to modify our gateway definition to change TLS mode from SIMPLE to MUTUAL. We will change the definition for httpbin.istio.io for mutual TLS:
# Script : 04-add-mutual-TLS-to-bookinfo-https-to-mygateway.yaml

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
 name: mygateway
spec:
 selector:
 istio: ingressgateway
 servers:
 - port:
 number: 80
 name: http
 protocol: HTTP
...
 tls:
 mode: MUTUAL
 credentialName: httpbin-keys
 hosts:
 - httpbin.istio.io
  1. Modify the gateway to change httpbin.istio.io TLS mode from SIMPLE to MUTUAL:
$ cd ~/istio/scripts/02-security/

$ kubectl -n istio-system apply -f 04-add-mutual-TLS-to-bookinfo-https-to-mygateway.yaml 
gateway.networking.istio.io/mygateway configured

Now that we've created the gateway for bookinfo by implementing mutual TLS, we will verify the TLS configuration.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.218.127.141