This is a demo of mTLS origination at an Istio egress gateway. Access to the server is authorized only if the client presents a certificate that it trusts. The client is a simple proxy that will send a request to the server and return its response.

The following instructions describe how to provision this demo in an OpenShift cluster.

1. Install the Red Hat OpenShift Certificate Manager operator.
2. Provision the certificate issuers

oc apply -f cert-manager/ -n openshift-cert-manager

oc new-project server
oc apply -f server/manifests/ -n server

This is an example of traditional client identity instrumentation provided as a comparison. A keystore secret is mounted directly to the application pod and consumed by the application to secure the request.

oc new-project client
oc apply -f client/manifests/ -n client

1. Install Elasticsearch operator all namespaces
2. Install OpenShift Distributed Tracing operator all namespaces
3. Install Kiali operator all namespaces
4. Install OpenShift Service Mesh operator all namespaces
5. Create a namespace for the service mesh control plane
6. Provision a control plane (see below)

oc new-project istio-system
oc apply -f istio-system/ServiceMeshControlPlane_basic.yaml -n istio-system

oc new-project client-mesh
oc apply -f istio-system/ServiceMeshMemberRoll_default.yaml -n istio-system

oc apply -f istio-system/Secret_client-tls.yaml -f istio-system/Certificate_client-tls.yaml -n istio-system

Substitute your cluster's wildcard domain into the Gateway and VirtualService for the client UI in order to support ingress to the client endpoint for demonstration.

oc apply -f client-mesh/manifests/ -n client-mesh

JavaScript examples: Matteo Mattei