Enforce Gateways to Services Traffic over mTLS

This doc will cover how to enforce Gateway to upstream services communication over mTLS, irrespective of whether the upstream services are sidecar injected or non-injected.

Before you get started, make sure:
✓ TSB is up and running, and GitOps has been enabled for the target cluster
✓ Familiarize yourself with TSB concepts
✓ Completed TSB usage quickstart. This document assumes you are familiar with Tenant Workspace and Config Groups.

Scenario

Consider an IngressGateway is deployed to route to multiple upstream services, one being sidecar injected i.e istio-injection enabled in the namespace, and another being non-injected.

Here we have 2 httpbin services deployed in 2 different namespaces. One sleep service is deployed in mesh namespace and another sleep service is deployed in non-mesh namespace. We have also deployed an IngressGateway with 2 separate routes exposed named /mesh and /non-mesh to route to corresponding mesh enabled and disabled services.

TSB Configuration

Create the TSB configurations like Tenant/Workspace/Group as shown below.

tsb-conf.yaml

apiVersion: api.tsb.tetrate.io/v2
kind: Tenant
metadata:
  displayName: Research
  name: research
  organization: tetrate
spec:
  displayName: Research
---
apiVersion: api.tsb.tetrate.io/v2
kind: Workspace
metadata:
  name: mesh-ws
  organization: tetrate
  tenant: research
spec:
  namespaceSelector:
    names:
      - cp-cluster-1/mesh
---
apiVersion: gateway.tsb.tetrate.io/v2
kind: Group
metadata:
  name: mesh-gg
  organization: tetrate
  tenant: research
  workspace: mesh-ws
spec:
  namespaceSelector:
    names:
      - cp-cluster-1/mesh
---
apiVersion: traffic.tsb.tetrate.io/v2
kind: Group
metadata:
  name: mesh-tg
  organization: tetrate
  tenant: research
  workspace: mesh-ws
spec:
  namespaceSelector:
    names:
      - cp-cluster-1/mesh
---

Configure Gateway

Configure IngressGateway deployment as shown below

gw-install.yaml

apiVersion: install.tetrate.io/v1alpha1
kind: Gateway
metadata:
  name: ingress
  namespace: mesh
spec:
  type: INGRESS
  kubeSpec:
    service:
      type: LoadBalancer

kubectl apply -f gw-install.yaml -n mesh

Configure TSB Gateway resource

ingress-gw.yaml

apiVersion: gateway.tsb.tetrate.io/v2
kind: Gateway
metadata:
  group: mesh-gg
  name: ingress
  organization: tetrate
  tenant: research
  workspace: mesh-ws
spec:
  http:
    - hostname: httpbin.tetrate.io
      name: ingress
      port: 80
      routing:
        rules:
          - match:
              - uri:
                  prefix: /mesh
            route:
              serviceDestination:
                host: httpbin/httpbin.mesh.svc.cluster.local
          - match:
              - uri:
                  prefix: /non-mesh
            route:
              serviceDestination:
                host: httpbin/httpbin.non-mesh.svc.cluster.local
  workloadSelector:
    labels:
      app: ingress
      istio: ingressgateway
    namespace: mesh

Configure TrafficSetting

As you can see in the below configuration, we have configured trafficMode: REQUIRED for both hosts to enforce mTLS for upstream connection using upstreamTrafficSetting

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
  group: mesh-tg
  name: enforce-mtls
  organization: tetrate
  tenant: research
  workspace: mesh-ws
spec:
  outbound:
    upstreamTrafficSettings:
      - hosts:
          - httpbin.mesh.svc.cluster.local
          - httpbin.non-mesh.svc.cluster.local
        settings:
          authentication:
            trafficMode: REQUIRED
          resilience:
            connectionPool:
              http:
                requestTimeout: 2s

Verification

1. Send request to /mesh path, and you will notice that the request work as expected and will return status code as 200.
2. send request to /non-mesh, and you will notice that the request is failed with HTTP status code as 503, given that the client waits longer than the request timeout configured in the ingress gateway.