Shulou(Shulou.com)06/03 Report--

This article mainly gives you a brief introduction to the deployment of Istio to achieve two-way TLS migration. You can check the relevant professional terms on the Internet or find some related books to supplement them, so we will not dabble here. Let's go straight to the topic of deploying Istio to achieve two-way TLS migration. I hope it can bring you some practical help.

In Istio, two-way TLS is a complete stack solution for transporting authentication, providing each service with a strong identity across clusters, protecting service-to-service and end-user-to-service communications, and providing a key management system. This paper describes how to upgrade the traffic of existing Istio services from plaintext to two-way TLS without interrupting communication.

Working with scen

In a cluster where Istio is deployed, users may pay more attention to functionality at the beginning, and the communication between services is configured for plaintext transmission. When the function is gradually improved and security is concerned, services deployed with sidecar need to use two-way TLS for secure transmission, but the service cannot be interrupted. In this case, a desirable way is to migrate two-way TLS.

Here is an example to demonstrate how to migrate two-way TLS.

Environmental preparation

Clusters that have deployed Istio and do not have bidirectional TLS enabled

Create three namespaces, foo, bar, and legacy

Deploy httpbin and sleep applications injected into Istio sidecar in foo and bar respectively, and deploy sleep applications without sidecar injection in legacy

Check deployment

As you can see, selecting a sleep application from any namespace and sending a http request to httpbin.foo can make the request successful. At this time, plaintext transmission is used.

Check the authentication policy and target rules in the system:

As you can see, there are no authentication policies and target rules in the system under the foo, bar, and legacy namespaces.

Let's start by configuring the server and client to upgrade the transport process:

Configure CVM

Inject the following policy into the server:

In the strategy in the figure above, the mode is PERMISSIVE, which allows the CVM to receive both plaintext and bidirectional TLS traffic, depending on the actual configuration. If you verify the network communication again, you can see that all requests are successful and are currently in plain text.

Configure the client

Add a destination rule for the server by setting the DestinationRule shown in the following figure:

After these rules take effect, the client-side sleep.foo and sleep.bar will begin to communicate using two-way TLS and httpbin.foo, while sleep.legacy will not be affected by the DestinationRule configuration because it does not inject sidecar, and still uses clear text to communicate with httpbin.foo.

By sending a request to verify the above analysis, we can see that all three applications have been accessed successfully:

Lock using two-way TLS (optional)

In this way, traffic between different clients and servers can be migrated to two-way TLS. When the traffic in the system is migrated and we want all applications to transmit securely through two-way TLS, we can lock the transmission between applications as two-way TLS. The specific operation mode is as follows: modify the mode of the configured authentication policy mtls to STRICT, so that the server only uses two-way TLS to receive traffic.

After locking, the request for authentication communication is sent, and you can see that the request for sleep.legacy failed because sleep.legacy did not inject sidecar and could not carry out two-way TLS transmission.

Summary: through the above demonstration, we can learn that the process of migrating service traffic from plaintext traffic to two-way TLS transmission is very convenient, and it can be configured on demand according to the actual needs of the service, without any impact on the normal communication of the service.

Deployment of Istio to achieve two-way TLS migration analysis will first tell you here, for other related issues you want to know can continue to pay attention to our industry information. Our section will capture some industry news and professional knowledge to share with you every day.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.