Envoy/Istio TCP proxy passing client certificate details to upstream cluster
34 views
Skip to first unread message
Animesh
Jun 5, 2020, 7:52:19 PM6/5/20
to envoy-dev
Hi
We have been using Istio/Envoy as front proxy as api gateway and as service-proxy within the service mesh. The clients are authenticated via mTLS at the istio-ingress. This works fine for any HTTP/gRPC upstream services. With an HTTP upstream service the client certificate is available as x-forwarded-client-cert.
Now we have a new use-case to support TCP services in the service mesh. The TCP client certificate carries some information that the upstream TCP Service needs. Is there is a way to pass the certificate presented by the client at ELB to the upstream server?
I did a quick POC with a sample TCP Echo Server and TCP Echo client and could validate the path including mTLS but not able to find a way to have certificate details available at TCP server.
TCP Client(go) --> Istio-ELB (port 31400)--> TCP Echo Server (go-server port 2701)
----------(Gateway Configuration) --------------
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: echo-tcp-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 31400
name: tls-echo
protocol: TLS
hosts:
- "$hostname"
tls:
caCertificates: /etc/istio/ingressgateway-ca-certs/ca.cert.pem
mode: MUTUAL
privateKey: /etc/istio/ingressgateway-certs/tls.key
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
--------------(Virtual Service Configuration) -------------
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: tcp-echo-vs-from-gw
spec:
hosts:
- "$hostname"
gateways:
- echo-tcp-gateway
tcp:
- match:
- port: 31400
route:
- destination:
host: tcp-echo-service
port:
number: 2701
------------------------------
Please advice.
Thanks
Animesh
Reply all
Reply to author
Forward
0 new messages