Gloo and Istio mTLS with older versions of Istio

This reference guide contains instructions for older versions of Istio (1.0 to 1.5). If you are running Istio 1.6, you can use the latest documentation here.

Serving as the Ingress for an Istio cluster – without compromising on security – means supporting mutual TLS (mTLS) communication between Gloo and the rest of the cluster. Mutual TLS means that the client proves its identity to the server (in addition to the server proving its identity to the client, which happens in regular TLS).

Guide versions

Istio versions

This guide was tested with Istio 1.0.9, 1.1.17, 1.3.6, 1.4.3, and 1.5.1.

Gloo versions

This guide was tested with Gloo v1.3.1 except where noted.

Kubernetes versions

This guide was tested with GKE v1.15.

Please note that if you are running Kubernetes > 1.12 in Minikube, you may run into several issues later on when installing Istio in SDS mode. This mode requires the projection of the istio-token service account tokens into volumes. We recommend installing Istio in a cluster which has this feature turned on by default (for example, GKE).

Step 1 - Install Istio

Download and install

To download and install the latest version of Istio, follow the installation instructions here. You will need to set the profile to sds for this guide.

Previous releases can be found for download here.

For a quick install of Istio 1.0.6 or 1.0.9 (prior to SDS mode option) with mTLS enabled, run the following commands:

kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml
kubectl apply -f install/kubernetes/istio-demo-auth.yaml
kubectl get pods -w -n istio-system

Use kubectl get pods -n istio-system to check the status on the Istio pods and wait until all the pods are Running or Completed.

SDS mode

In Istio 1.1, a new option to configure certificates and keys was introduced based on Envoy Proxy’s Secret Discovery Service (SDS). This mode enables Istio to deliver the secrets via an API instead of mounting to the file system as with Istio 1.0. This has two big benefits:

For more information on Istio’s identity provisioning through SDS take a look at the Istio documentation.

Step 2 - Install bookinfo

Before configuring Gloo, you’ll need to install the bookinfo sample app to be consistent with this guide, or you can use your preferred Upstream. Either way, you’ll need to enable istio-injection in the default namespace:

kubectl label namespace default istio-injection=enabled

To install the bookinfo sample app, cd into your downloaded Istio directory and run this command:

kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml

Step 3 - Configure Gloo

If necessary, install Gloo with either glooctl:

glooctl install gateway

or with helm:

kubectl create ns gloo-system; helm install --namespace gloo-system --version 1.3.20 gloo gloo/gloo

See the quick start guide for more information.

Gloo is installed to the gloo-system namespace and should not be injected with the Istio sidecar. If you have automatic injection enabled for Istio, make sure the istio-injection label does not exist on the gloo-system namespace. See the Istio docs on automatic sidecar injection for more.

For Gloo to successfully send requests to an Istio Upstream with mTLS enabled, we need to add the Istio mTLS secret to the gateway-proxy pod. The secret allows Gloo to authenticate with the Upstream service.

The last configuration step is to configure the relevant Gloo Upstreams with mTLS. We can be fine-grained about which Upstreams have these settings as not all Gloo Upstreams may need/want mTLS enabled. This gives us the flexibility to route to Upstreams both with and without mTLS enabled - a common occurrence in a brown-field environment or during a migration to Istio.

Version-specific configurations for the gateway-proxy and the sample Upstream can be found below:

Edit the gateway-proxy with this command:

kubectl edit deploy/gateway-proxy -n gloo-system

Edit the Upstream with this command:

kubectl edit upstream default-productpage-9080 --namespace gloo-system

For Gloo versions 1.1.x and up, you must disable function discovery before editing the Upstream to prevent your change from being overwritten by Gloo:

kubectl label namespace default

To test this out, we need a route in Gloo:

glooctl add route --name prodpage --namespace gloo-system --path-prefix / --dest-name default-productpage-9080 --dest-namespace gloo-system

And we can curl it:

curl -v $(glooctl proxy url)/productpage

Or access it in the browser:

HTTP_GW=$(glooctl proxy url)
## Open the ingress url in the browser:
$([ "$(uname -s)" = "Linux" ] && echo xdg-open || echo open) $HTTP_GW/productpage

Istio 1.0.x

Click to see configurations for Istio 1.0.x.

Istio 1.1.x

Click to see instructions for Istio 1.1.x.

Istio 1.3.x and 1.4.x

Click to see configuration for Istio 1.3.x/1.4.x.

Istio 1.5.x

Click to see configuration for Istio 1.5.x.

Istio 1.6.x

Click to see configuration for Istio 1.6.x.