►
From YouTube: Redis TLS Origination with the sidecar
Description
#IstioCon2021
Presented at IstioCon 2021 by Sam Stoelinga.
So you’ve actually done security well and are using an external Redis provider that only allows TLS to talk to it. You could simply configure each of your applications to use TLS from the application pod or you can use Istio to handle the TLS part. This lightning talk demonstrates how to use Istio to do TLS origination for Redis (TCP) using the sidecar instead of the egress gateway.
A
Hello:
everyone-
this
is
sam
stulinga.
Today,
I'm
going
to
present
to
you
redis
tos,
origination,
3d
site
car
am
a
customer
engineer
at
google
cloud
and
what
it
means
is
I
get
to
help
customers
with
a
lot
of
their
fun
use
cases
about
istio,
and
today
is
one
of
those
use
cases
that
I
will
be
presenting
it's
based
on
a
blog
post
as
well.
If
you
do
want
to
read
and
replicate
it
yourself,
it's
quite
easy.
By
going
to
the
blog
post,
I
wrote
before
the
today's
session
will
be
structured
in
three
sections
number.
A
One
is:
what
is
the
problem
that
we're
trying
to
solve
with
this?
How
can
how
are
we
solving
it,
and
then
I
will
do
a
quick
demo
of
this,
and
so
you
get
a
sense
of
how
it
works
and
what
are
the
benefits
of
it.
A
A
This
external
redis,
however,
only
accepts
tos,
so
each
microservice
needs
to
set
up
the
tos
settings
like
configure
assert
and
that's
all
part
of
that
will
then
be
part
of
your
contained
image
or
you
somehow
plug
it
up
plug
it
into
a
secret,
and
that
can
be
a
bit
tedious
to
configure.
All
of
that.
So
that's
pro
number
one.
The
second
problem
is
because
it's
all
encrypted
istio
itself
doesn't
see
the
traffic
that's
going
into
redis,
because
you're
doing
the
encryption
directly
in
the
application
container
itself.
A
I
mean
it's
a
very
vague
term,
so
let
me
let
me
make
it
a
bit
more
concrete.
This
is
how
traffic
looks
like
through
kiali
before
tos
origination
is
set
up,
and
it's
unclear
where
the
traffic
is
going,
there's
no
metrics
that
are
specific
to
the
redis
external
service.
So
you,
like
you,
have
you
have
zero
visibility?
A
And
now
why
do
I
say
more
visibility?
This
is
how
traffic
looks
like
after
tos
origination.
So
now,
at
least
in
the
graph,
you
can
see
that
there's
an
external
ivan
redis,
I'm
using
ivan
in
this
case,
but
it
could
be
any
called
external
radius
and
the
on
the
left
side.
You
see
that
we
now
have
some
metrics,
so
we
see
tcp
sent
and
tcp
received
specifically
to
the
redis
endpoint
that
we're
talking
to.
A
So
how
do
you
set
this
up?
There's
two
main
steps.
Step
number
one
is
to
create
a
service
entry
for
the
external
service,
so
that
istio
knows
about
redis,
because
otherwise,
because
it's
an
external
service,
it's
not
kubernetes,
doesn't
know
about
it.
Istio
doesn't
know
about
it.
That's
why
we
specifically
need
to
create
a
service
entry
for
it.
The
second
step
is
to
create
a
destination
rule,
to
really
set
up
the
tos
origination
and
really
the
key
part.
A
A
A
Let's
first
try
that
and
then
afterwards
we're
going
to
create
a
destination
rule
and
a
service
entry
and
the
expedition
is
that
then
immediately
afterward?
We
should
be
able
to
connect
over
redis
through
unencrypted
tos,
all
right.
Let's
give
it
a
try
all
right.
So
let's
take
a
look
at
environment
we
have
for
this
demo.
We
have
a
gk
cluster,
that's
up
and
running
and
has
sto
1.8
installed.
A
A
A
And
what
I
expect
to
happen
when
I
do
I
I'm
trying
to
connect
over
it
and
yes,
this
is
the
password,
but
I
promise
you
by
the
time
this
lightning
talk
is
live.
This
password
will
no
longer
work
work.
A
I
am
going
to
I'm
going
to
just
try
and
get
a
key
that
I
have
set
previously
on
this
redis
server
and
I
expect
it
to
fail.
But
let's
see
yes,
error,
server,
close
connection,
so,
as
you.
A
A
Let's
take
a
look
at
what
keali
sees
here,
I'm
going
to
select
my
redis
namespace
and
then
we
can
take
a
look
and
you
see
the
graph
it
doesn't
show
marks.
It
just
shows
this
passthrough
cluster
because
it
doesn't
actually
see
see
anything
same
for
here.
It
does
show
something,
but
it
will
show
it
shows
the
metrics
business
so
where
this
is
going.
A
So
that's
how
it
looks
like
right
now:
okay-
and
it's
also
where
you
saw
the
screenshots
from
now-
what
I'm
going
to
do
next
is
I'm
going
to
apply
the
destination
rule
for
it.
A
And
I'm
going
to
add
the
service
entry,
and
I
will
show
you
in
a
moment
that
that's
a
what's
inside
those
two
files,
it's
basically
the
same
file
that
I
showed
in
the
presentation,
but
I
will
open
it
in
a
moment.
Let's
first
take
a
look
at
at
the
exact
and
let's
see
if
we
run
the
same
command
as
we
did
last
time,
look
there's
no
tos,
it's
it's
just
connecting
over
plain
tcp
to
the
external
redis.
A
But
this
time,
however,
because
we
set
up
the
service
entry,
I
expect
to
be
a
result.
There
ago
it
says,
get
hello
and
we
got
back
the
result
world
2.,
I'm
going
to
show
you
that
we
can
also
set
a
new
key,
we're
going
to
call
it
world
tree
and
then,
when
I
get
it,
it
just
shows
the
updated
result.
So
now
we're
talking
to
this
external
redis
over
plain
tcp.
A
According
to
the
application
part,
however,
the
sdo
site
proxy,
the
the
the
seo
site
card,
the
proxy
is
encrypting
the
traffic
first
transparently
without
the
app
having
to
care,
that's
being
transferred
or
about
search,
etc.
So,
let's,
let's
go
back
and
let's
take
actually
let
me
generate
some
more
data,
that's
probably
more
fun.
A
I
am
going
to
do
500
requests,
so
we
we
see
a
spike
in
traffic
and
I'm
just
going
to
it
just
send
it
send
a
lot
of
traffic
and
it
got
a
lot
of
traffic
back
and
then
we
we
should
see
it
spike
as
well
in
the
in
the
dashboard.
Let's
give
it
a
moment
and
what
we'll
see
is?
Oh,
it's
already
popping
up.
A
You
can
see
the
rate
of
traffic
to
this
external
and
then,
when
you
track,
when
you
go
to
the
graph,
it
will
also
show
up
here
and
when
you
want
to
check
the
metrics.
You
can
check
here
and
you
see
that
that
it's
now
1.2
kilo
bit
per
second-
and
I
bet
you
if
I
keep
on
refreshing,
it's
going
to
be
updated
slightly
more.
A
This
was
the
main
demonstration
just
wanted
to
show
that
after
you
it,
it
immediately
starts
having
effect
and
just
for
reference.
I
will
quickly
show
the
service
entry,
which
was
also
shown
in
the
slide.
Where
we
just
say
anything,
that's
going
to
this
host
match
will
match
this
surface
entry
and
then
the
other
part
that
we
have
is
the
destination
rule
is
where
we
set
anything
that
goes
to
this
host
makes
encrypt
the
traffic
with
tos
using
simple
tos
and
use
the
system
search
that
are
located
in
this
directory
inside
the
istio
proxy.