Reputation: 49
Perform TLS origination with an egress gateway with TCP protocol
My use case is the following I want o intercept calls to the LDAP in 172.28.0.3:389 and forward to 172.28.0.3:636 with TLS.
I have followed the steps of egress tls originate and it works fine. Now I am trying to use the gateway, unfortunately I am having problems setting up the ports. I have basically copied and paste the setup of documentation and adapted the protocols from HTTP and HTTPS to TCP and the ports 80 and 443 to 389 and 636 respectively:
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: cnn
spec:
hosts:
- ldap.host
addresses:
- 172.28.0.3
ports:
- number: 389
name: tcp
protocol: TCP
- number: 636
name: tcp-secure
protocol: TCP
resolution: STATIC
endpoints:
- address: 172.28.0.3
------
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway
spec:
selector:
istio: egressgateway
servers:
- port:
number: 389 # I am not sure about this
name: tpc-port-for-tls-origination
protocol: tcp
hosts:
- ldap.host
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: egressgateway-for-cnn
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: cnn
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: direct-cnn-through-egress-gateway
spec:
hosts:
- ldap.host
gateways:
- istio-egressgateway
- mesh
tcp: # I AM NOT SURE ABOUT THIS PART
- match:
- gateways:
- mesh
port: 389
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: cnn
port:
number: 389
weight: 100
- match:
- gateways:
- istio-egressgateway
port: 389
route:
- destination:
host: ldap.host
port:
number: 636
weight: 100
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: originate-tls-for-edition-cnn-com
spec:
host: ldap.host
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 636
tls:
mode: SIMPLE # initiates HTTPS for connections to edition.cnn.com
I have the feeling that the problem is on the VirtualService, however I have tried many things but without success, any hint what might be the issue would be highly appreciated.
Upvotes: 0
Views: 1060
Answers (1)
Reputation: 5277
Looking into this post and previous post: it looks like you are interested with external custom authentication provider which support LDAP integration. For example you can use keycloak, Auth0, Google Auth.
This documentation shows an external authentication, that it can be integrated with istio. Please note that the documentation may be outdated (02/2018).
Here you can find similar problem:
As far as I'm concerned LDAP is not working in istio. Workaround here would be either keycloak or auth0 You can integrate both of them with istio, but it's just for authentication, It won't work as LDAP itself, at least as far as I know.
You can also eanble authentication with JSON Web Token (JWT) validation. Istio takes care of the task of validating the JWT tokens in the incoming user requests. So if you implement Istio JWT authentication feature, your application code doesn’t need to bother about the JWT token validation. Istio will do it for you. Not JWT token generation. Istio will not generate the tokens for you. You have to have an Authentication micro-service that generates the token. Here is thread on how to authenticate end users using JWT.
Upvotes: 1
Related Questions
- Istio ingressgateway allow tls for private IP
- Configure Istio ingress gateway TLS with istio operator
- Istio | TLS mutual-auth without using Istio ingress gateway
- Istio - weighted routing for TLS routes
- Using istio as an reverse proxy for external TLS services
- Istio + Kubernetes: Gateway more than one TLS Certificate
- How to configure TLS origination in ISTIO?
- Secure outbound traffic with Istio egressgateway
- Kubernetes TLS all the way to the pod
- Securing connections from ingress to services in Kubernetes with TLS