Configure a workload with a sidecar whose peer-authentication policy’s mTLS mode is PERMISSIVE so it can accept mTLS traffic from workloads without sidecars using standard ALPNs#
Introduction#
You can use an ALPN annotation to configure a workload with a sidecar that has a peer-authentication mTLS mode of PERMISSIVE so it accepts mTLS traffic from workloads without sidecars using standard ALPNs.
Prerequisite#
This feature is supported in Aspen Mesh 1.11.8-am1.1, 1.11.8-am1.2, and 1.11.8-am3 and later.
Background#
For a server workload with a sidecar that needs to accept both plaintext and mTLS traffic from client workloads without sidecars, the server’s Istio peer-authentication mTLS mode must be set to PERMISSIVE. Normally, in PERMISSIVE mode, the server’s sidecar accepts mTLS traffic using only Istio ALPNs (for example, istio-http/1.1), which are not standard. Therefore, the server rejects mTLS traffic using standard ALPNs (http/1.0, http/1.1, and h2).
Before you begin#
Before workloads without a sidecar can communicate over mTLS with workloads with a sidecar, you must do the following:
Enable and install Aspen Mesh Citadel and annotate the relevant namespaces so Citadel generates secrets for workloads in those namespaces. Learn how.
In each namespace, in workloads without sidecars, mount the secret created by Citadel.
In addition, make sure that your workloads without sidecars use standard HTTP ALPNs when initiating communication over mTLS with workloads with sidecars.
Configure a namespace so workloads with sidecars in that namespace can accept mTLS traffic from workloads without sidecars using standard ALPNs#
Modify the peer-authentication policy for the namespace so it includes the following field:
.metadata.annotations.http-alpns.aspenmesh.io: “true”
Example
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: default namespace: foo annotations: http-alpns.aspenmesh.io: "true" spec: mtls: mode: PERMISSIVE
Configure a workload with a sidecar so it can accept mTLS traffic from workloads without sidecars using standard ALPNs#
Modify the peer-authentication policy for the workload so it includes the following field:
.metadata.annotations.http-alpns.aspenmesh.io: “true”
Example
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: default namespace: foo annotations: http-alpns.aspenmesh.io: "true" spec: selector: matchLabels: app: finance mtls: mode: PERMISSIVE
Restrictions#
Use of the ALPN annotation requires that the peer-authentication policy’s mTLS mode is set to
PERMISSIVE. TheSTRICTandNONEmodes are not supported.Use of the ALPN annotation in the
istio-systemnamespace is not supported.If you use the ALPN annotation on both a namespace and a workload in that namespace, the workload ALPN annotation overrides the namespace ALPN annotation. For example, if a namespace ALPN annotation is set to
“true”but the ALPN annotation for a workload in that namespace is set to“false”, the workload won’t accept mTLS traffic from workloads without sidecars using standard ALPNs, but other workloads in that namespace will.