End-To-End Encryption Using EnRoute And Istio

This document describes how easy it is to integrate Istio with EnRoute

Istio Integration

Introduction

This document describes how easy it is to integrate Istio with EnRoute. Istio is a service mesh based on Envoy Proxy that encrypts traffic between micro-services inside a Kubernetes Cluster

Enabling EnRoute integration with Istio can be done in one step by setting a flag and running a container along with EnRoute (to serve secrets) to participate in Istio trust framework.

An End-to-end encryption of traffic using EnRoute and istio includes -

  • Encryption from client to EnRoute
  • Encryption from EnRoute to mTLS inside the mesh

We install EnRoute and Istio, enable cluster-wide mTLS, configure EnRoute for Istio environment and make the secrets available to EnRoute. We will go through each of these steps by -

  • Setting up a cluster, installing Istio, setting up example workload (bookinfo app)
  • Next we install EnRoute, a container to serve Istio secrets to EnRoute to make it a part of the mesh
  • Enable mesh-wide mTLS enforce strict zero-trust environment and make EnRoute a part of Istio mesh
  • We install a certificate on the GatewayHost to achieve end-to-end encryption

We trace through each of the above steps while monitoring the cluster to verify end-to-end encrypted traffic.

We also verify some of the steps above using the open source Kiali project for observing a Kubernetes Istio deployment

Note that it is common to have a platform approach to automating the above steps, however we enumerate them here to explain in detail about EnRoute integration with Istio

The complete article can be found in the integration section of docs