apiVersion: maistra.io/v1
kind: serviceMeshControlPlane
spec:
istio:
global:
mtls:
enabled: true
If your service mesh application is constructed with a complex array of microservices, you can use Red Hat OpenShift service Mesh to customize the security of the communication between those services. The infrastructure of OpenShift Container Platform along with the traffic management features of service Mesh can help you manage the complexity of your applications and provide service and identity security for microservices.
Mutual Transport Layer Security (mTLS) is a protocol where two parties authenticate each other at the same time. It is the default mode of authentication in some protocols (IKE, SSH) and optional in others (TLS).
MTLS can be used without changes to the application or service code. The TLS is handled entirely by the service mesh infrastructure and between the two sidecar proxies.
By default, Red Hat OpenShift service Mesh is set to permissive mode, where the sidecars in service Mesh accept both plain-text traffic and connections that are encrypted using mTLS. If a service in your mesh is communicating with a service outside the mesh, strict mTLS could break communication between those services. Use permissive mode while you migrate your workloads to service Mesh.
If your workloads do not communicate with services outside your mesh and communication will not be interrupted by only accepting encrypted connections, you can enable mTLS across your mesh quickly. Set spec.istio.global.mtls.enabled
to true
in your serviceMeshControlPlane resource. The operator creates the required resources.
apiVersion: maistra.io/v1
kind: serviceMeshControlPlane
spec:
istio:
global:
mtls:
enabled: true
Create a destination rule to configure service Mesh to use mTLS when sending requests to other services in the mesh.
apiVersion: "networking.istio.io/v1alpha3"
kind: "DestinationRule"
metadata:
name: "default"
namespace: <CONTROL_PLANE_NAMESPACE>
spec:
host: "*.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL