Reputation: 467
Traffic from Google L7 cloud load balancer to istio-gateway
In the google docs From edge to mesh: Expose service mesh applications through GKE Gateway , it states
The next hop, which is between the Google Front End (GFE) and the mesh ingress proxy, is encrypted by default. Network-level encryption between the GFEs and their backends is applied automatically. However, if your security requirements dictate that the platform owner retain ownership of the encryption keys, then you can enable HTTP/2 with TLS encryption between the cluster gateway (the GFE) and the mesh ingress (the envoy proxy instance). When you enable HTTP/2 with TLS encryption for this path, you can use a self-signed or public certificate to encrypt traffic because the GFE doesn't authenticate against it.
I am very confused by this statement. Does that mean, if I do not want or require this extra layer of encryption, I do not need to specify TLS mode for my istio gateway?
Example
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: gateway
namespace:
labels:
...
spec:
selector:
asm: workload
servers:
- port:
number: 8080
name: service
protocol: HTTP
hosts:
- "*"
So my confusion is, if the traffic is encrypted from GFE load balancer to my istio gateway, does it automatically gets decrypted if my gateway is not handling the tls termination with self signed certificates? Eg: When I allow my ingress to connect to my gateway service through http protocol, does the statement where GFE load balancer encrypts traffic by default to the mesh ingress proxy still hold true?
Upvotes: 0
Views: 58