How to enable both Mutual TLS and gRPC TLS in Istio such that Istio can collect metrics, but gRPC considers the connection “Safe”

7
votes

This is an "in principle" question as I seek to understand the way mTLS is implemented in Istio, and how it works with services that otherwise support mTLS well (such as gRPC).

Consider that I have a cluster with "mtls everywhere" enabled. This effectively tunnels all TCP connections over the mTLS pipe between envoy proxies, and the connection between envoy and the service is in plain text.

However, there are services that require at least TLS connections to envoy proxy; ideally mTLS connections. One of these is gRPC, which requires TLS in order to use its core JWT authentication:

https://grpc.io/docs/guides/auth.html#authenticate-with-google

So, the question becomes:

  • Is it possible to have the envoy proxy "snoop" on connections that are otherwise mTLS encrypted at the origin service itself? Ideally using certificates and keys provisioned by Citadel
  • Is the solution otherwise to create a new authentication method that ignores the fact it's over plaintext, as it'll be mTLS'd by Istio?

<3 Cheers

1
sslgrpcistio

1 Answers

0
votes

One of the many problems Istio is trying to solve is to offload certificates management from application layer to the sidecar container. I personally don't know of a way to use Citadel to manage certificates in the app container, as for the 'snooping' you may try to cook something with envoy filter, but even if you can this will be custom solution that will easily break. Somehow I don't think this will work or if it can be done at all. Your first question/approach seems to be on the wrong track.

Unfortunately I can't give you a straight answer to your second question, but I was briefly involved with a project that used gRPC micro services with JWT that were verified by Istio and we were not handling certificates in the containers for sure. So without having specific implementation details I'll say option two is the way to go.

For what is worth this is example of the authentication policy that was used.

apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: {{ template "service.name" . }}
  labels:
    app: {{ template "service.name" . }}
    chart: {{ template "service.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
spec:
  targets:
  - name: {{ template "service.name" . }}
  origins:
  - jwt:
      issuer: https://auth.company.com/
      jwksUri: https://auth-service.auth.svc.cluster.local:8008/keys/public
      audiences:
      - dGQVkdEluc3RhrmNps:CompanyApp:CompanyOrg
  principalBinding: USE_ORIGIN