End-to-end encryption using EnRoute and Istio

End-to-end encryption using EnRoute and Istio

Saaras Inc. November 27, 2022
End-to-end encryption using EnRoute and Istio

Istio Integration


This document describes how easy it is to integrate Istio with EnRoute. Istio is a service mesh based on Envoy Proxy that encrypts traffic between micro-services inside a Kubernetes Cluster

Enabling EnRoute integration with Istio can be done in one step by setting a flag and running a container along with EnRoute (to serve secrets) to participate in Istio trust framework.

An End-to-end encryption of traffic using EnRoute and istio includes -

  • Encryption from client to EnRoute
  • Encryption from EnRoute to mTLS inside the mesh

We install EnRoute and Istio, enable cluster-wide mTLS, configure EnRoute for Istio environment and make the secrets available to EnRoute. We will go through each of these steps by -

  • Setting up a cluster, installing Istio, setting up example workload (bookinfo app)
  • Next we install EnRoute, a container to serve Istio secrets to EnRoute to make it a part of the mesh
  • Enable mesh-wide mTLS enforce strict zero-trust environment and make EnRoute a part of Istio mesh
  • We install a certificate on the GatewayHost to achieve end-to-end encryption

We trace through each of the above steps while monitoring the cluster to verify end-to-end encrypted traffic.

We also verify some of the steps above using the open source Kiali project for observing a Kubernetes Istio deployment

Deployment of EnRoute showing meshed with HTTP Metrics

The complete article can be found in the integration section of docs