Hey everyone! I'm trying to wrap my head around some concepts related to Istio, especially when it comes to connecting my local pod to a service that requires mTLS. Is it possible to send an HTTPS request and have Istio handle the necessary certificates, or does HTTPS just pass through without any additional handling? Also, I'm confused about the difference between TLS and HTTPS in the context of Istio's destination rules. Aren't they essentially the same since HTTPS is based on TLS?
3 Answers
Yes! Istio has solid documentation on handling mTLS and HTTP traffic. You can configure it to either upgrade an HTTP request to mTLS or load client certs into your application. If you send HTTPS directly from your app, Istio won’t inject anything, and that traffic will just tunnel through as is. The key is to either simplify your app's connection to just HTTP or manage certificates properly to allow Istio to facilitate the mTLS communications.
When it comes to TLS vs. HTTPS in Istio’s context, it's a bit of a mix-up. HTTPS is indeed based on TLS, but in the Istio config, they are treated differently. If you're using HTTPS directly in your app, Istio won’t be able to modify that traffic. Instead, it’s best to let Istio manage the mTLS portion by having your app talk plain HTTP to the sidecar, while Istio manages the secure connection to the service. This way, you can take full advantage of what mTLS has to offer within the mesh.
So essentially, Istio is much more effective when managing TLS rather than just passing through HTTPS from the app?
Great question! When you're working with Istio, typically you manage your TLS termination at the ingress point. This means Istio mainly deals with securing traffic once it's inside the mesh rather than handling HTTPS connections directly outwards. It’s true that when you send HTTPS requests through Istio, they tend to just pass through without modification if you're using the standard TCP proxy. So if you want Istio to handle the mTLS, your app should send regular HTTP requests and let Istio take care of upgrading the traffic to HTTPS on its way out.
So if I understand correctly, for mTLS to work smoothly, I shouldn't have my application handling HTTPS directly, right? Just let Istio manage that part?
That makes sense! So I have to choose how to set up my app to ensure Istio can properly handle those requests.