Istio Integration

Introduction

This document describes how easy it is to integrate Istio with EnRoute. Istio is a service mesh based on Envoy Proxy that encrypts traffic between micro-services inside a Kubernetes Cluster

Enabling EnRoute integration with Istio can be done in one step by setting a flag and running a container along with EnRoute (to serve secrets) to participate in Istio trust framework.

An End-to-end encryption of traffic using EnRoute and istio includes -

• Encryption from client to EnRoute
• Encryption from EnRoute to mTLS inside the mesh

We install EnRoute and Istio, enable cluster-wide mTLS, configure EnRoute for Istio environment and make the secrets available to EnRoute. We will go through each of these steps by -

• Setting up a cluster, installing Istio, setting up example workload (bookinfo app)
• Next we install EnRoute, a container to serve Istio secrets to EnRoute to make it a part of the mesh
• Enable mesh-wide mTLS enforce strict zero-trust environment and make EnRoute a part of Istio mesh
• We install a certificate on the GatewayHost to achieve end-to-end encryption

We trace through each of the above steps while monitoring the cluster to verify end-to-end encrypted traffic.

We also verify some of the steps above using the open source Kiali project for observing a Kubernetes Istio deployment

Note that it is common to have a platform approach to automating the above steps, however we enumerate them here to explain in detail about EnRoute integration with Istio

‍

The complete article can be found in the integration section of docs

‍