How to use mTLS without using istio ingress and using azure app gateway ingress?

Uday Kiran Reddy (ureddy) 61 Reputation points

We have our application running in aks cluster and using cert-manager helm chart in separate namespace for lets encrypt certificate generation. argocd namespace is for handling deployments.

We need to enable mTLS, does that required istio to be labelled on argocd,cert-manager namespaces also?

And, we already have azure appgateway ingress to route traffic to the deployments running in our namespace, so didn’t enabled istio ingress.

Once I enabled strict option at global level, the routing is not working from azure app gateway ingress to our application.

kubectl apply -n istio-system -f - <<EOF
kind: PeerAuthentication
  name: default
    mode: STRICT

And getting 502 bad gateway.

If I remove above peerauthentication or change that to PERMISSIVE.
Then it is able to access page without 502 error.

What to do for this to implement strict mode but without istio ingress.

kubectl edit peerauthentication -n istio-
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,554 questions
{count} votes

1 answer

Sort by: Most helpful
  1. vipullag-MSFT 21,451 Reputation points Microsoft Employee

    Hello Uday Kiran Reddy (ureddy)

    Firstly, apologies for the delay in responding here.

    In order to achieve mTLS , the ingress gateway and the backend application must both present and verify certificates. Application Gateway does not have support for backend TLS encryption (often called re-encrypt).

    I checked with internal team on this, support for using the Istio addon with Application Gateway for Containers is in product team roadmap. There is no ETA on this yet.

    Hope this helps.