I have recently started learning and implementing istio in AWS EKS cluster. For configuring TLS for ingress gateway, I followed this guide which simply asks you to add AWS ACM ARN id to istio-ingressgateway as an annotation. So, I had to neither use certs to create secret
nor use envoyproxy's SDS.
This setup terminates TLS at gateway, but I also want to enable mTLS within mesh for securing service-service communication. By following their documentation, I created this policy to enforce mTLS within a namespace:
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: xyz-mtls-policy
namespace: xyz-dev
spec:
mtls:
mode: STRICT
But even after applying this, I see one service being able to call another service using http
.
So my question is: how do I use the ACM certs to implement mTLS in my namespace?
If you're calling from inside the mesh I would say it's working fine, take a look here and here.
Mutual TLS in Istio
Yes, it's enabled by default since istio 1.5 version. There are related docs about this.
I would say there are 3 ways
You can change it from strict to permissive and call it from outside the mesh, it should work. Then change it to strict and call it again, it shouldn't work. In both ways you should be able to call it from a pod inside the mesh.
If you want to see it visual way kiali should have something like a padlock when mtls is enabled, there is github issue about that.
It was already mentioned in the banzaicloud, and you mentioned that in the comments, you can check the Connection Security Policy metric label. Istio sets this label to mutual_tls if the request has actually been encrypted.
Let me know if have any more questions.