istio gateway mtls

mtls notes

gateway

Istio Gateway is the way things get into your service mesh (cluster). Now, maybe you want to push authentication into the service mesh.

Original plan: use pomerium as a forward auth service like i did for nginx/traefik. Problem: istio does do forward auth, but not in a way that pomerium supports and I don't want to proxy everything through pomerium.

Plan B: use the entire Ory stack. Problem: Ory is API first, need to implement my own UI. Probably save this for later.

Plan C: use mTLS everywhere.

mTLS

mTLS works on hosts/domains. so you can't just protect a few paths... So if you were wondering between a single *.example.com gateway vs a gateway for each service, here's your reason.

cert manager

Get those certs. I'm using cert-manager ca.

One way is to:

• create a self-signing issuer
• create a ca certificate using said issuer
• create a ca using said certificate
• create mtls certificates using said ca

issuer

 1# self signed CA root provisioner
 2apiVersion: cert-manager.io/v1
 3kind: Issuer
 4metadata:
 5  name: private-ca-root
 6spec:
 7  selfSigned: {}
 8---
 9# self signed CA
10apiVersion: cert-manager.io/v1
11kind: Issuer
12metadata:
13  name: private-ca
14spec:
15  ca:
16    secretName: private-ca-root

certs

 1# CA root cert
 2apiVersion: cert-manager.io/v1
 3kind: Certificate
 4metadata:
 5  name: private-ca-root
 6spec:
 7  secretName: private-ca-root
 8  duration: 87600h # 10y
 9  renewBefore: 8760h # 1y
10  privateKey:
11    algorithm: ECDSA
12  isCA: true
13  commonName: cluster27-private-ca
14  issuerRef:
15    name: private-ca-root
16---
17# cert for gateways
18apiVersion: cert-manager.io/v1
19kind: Certificate
20metadata:
21  name: k-mtls
22spec:
23  secretName: k-mtls
24  duration: 2160h # 3m
25  renewBefore: 720h # 1m
26  privateKey:
27    algorithm: ECDSA
28  usages:
29    - server auth
30  dnsNames:
31    - "k.seankhliao.com"
32    - "*.k.seankhliao.com"
33  issuerRef:
34    name: private-ca
35---
36# cert for clients
37apiVersion: cert-manager.io/v1
38kind: Certificate
39metadata:
40  name: client-eevee
41spec:
42  secretName: client-eevee
43  keystores:
44    pkcs12:
45      create: true
46      passwordSecretRef:
47        name: p12-password
48        key: password
49  duration: 8760h # 1y
50  renewBefore: 2160h # 3m
51  privateKey:
52    algorithm: ECDSA
53  usages:
54    - client auth
55  emailAddresses:
56    - eevee@seankhliao.com
57  issuerRef:
58    name: private-ca

gateway setup

Now to use it. On our gateway:

 1apiVersion: networking.istio.io/v1alpha3
 2kind: Gateway
 3metadata:
 4  name: httpbin
 5spec:
 6  selector:
 7    istio: ingressgateway
 8  servers:
 9    - port:
10        name: https-httpbin
11        number: 443
12        protocol: HTTPS
13      hosts:
14        - "httpbin2.k.seankhliao.com"
15      tls:
16        mode: MUTUAL
17        credentialName: k-mtls
18        minProtocolVersion: TLSV1_3
19    - port:
20        name: http-httpbin
21        number: 80
22        protocol: HTTP
23      hosts:
24        - "httpbin2.k.seankhliao.com"
25      tls:
26        httpsRedirect: true

client setup

So to get our devices to trust and use private ca...

arch linux

get the ca.crt from any one of them,

1sudo trust anchor --store ca.crt

Get the keystore.p12 from client-x, import in browser chrome://settings/certificates

android

get ca.crt from any one of them, Settings > Security > Encryption & Credentials > Install a certificate > CA certificate

Get the keystore.p12 from client-y, Settings > Security > Encryption & Credentials > Install a certificate > VPN & app user certificate