How do you do GRPC authentication in an istio mTLS setup?

Question

I have bunch of GRPC microservices and they are using self signed certs. I add authentication info to the GRPC channel which is then used to identify endpoints and provide right services.

Now I want migrate to Istio mTLS.

In phase one, I got Istio to BYPASS all GRPC connections and my services works as it is now.

In Phase two, I want to hand off TLS to Istio, but I am stuck on how to pass the authentication information to GRPC?

How do you handle auth in Istio mTLS setup?

GRPC can support other authentication mechanisms Has anyone used this to inject Istio auth info to GRPC? any other suggestions on how you implemented this in your setup

I am using go-lang just in case if this can be useful to provide any additional information.

Thanks

Answer 1

I resolved this by generating JWT token for my requests, and injected the token using an Interceptor. Took inspiration from GRPC interceptor for authorization with jwt

Answer 2

One way of doing this is using grpc.WithInsecure(), this way you don't have to add certificates to your services, since istio-proxy containers in your pods will TLS terminate any incoming connections.

Client side:

conn, _ := grpc.Dial("localhost:50051", grpc.WithInsecure())

Server side:

s := grpc.NewServer()
lis, _ := net.Listen("tcp", "localhost:50051")

// error handling omitted
s.Serve(lis)

If you still need to use TLS for on-prem deployments, etc. you can simply use a configuration option to specify this such as:

var conn *grpc.ClientConn
var err error
// error handling omitted do not copy paste

if ( config.IstioEnabled ) {
    conn, err = grpc.Dial("localhost:50051", grpc.WithInsecure())

} else {
    creds, _ := credentials.NewClientTLSFromFile(certFile, "")
    conn, err = grpc.Dial("localhost:50051", grpc.WithTransportCredentials(creds))

}

Reference.