►
Description
#IstioCon2021
Presented at IstioCon 2021 by Zufar Dhiyaulhaq & Vijay Dhama.
One of our main goals in GoPay is to automate mutual TLS communication between GoPay and our partner. We will share how we decide to use and manage Istio, change the configuration to suit our mTLS use cases, how we adapt Istio changes related to mutual TLS, and how our central certificate is managed, and how to set up automatic mutual TLS communication with Istio Egress TLS origination and Istio Gateway.
A
Hello
welcome
everyone.
My
name
is
vichy
tama,
I'm
with
my
colleague,
sufa
ghilhar.
Today
we're
going
to
talk
about
how,
in
copay
we
automate
mdls
communication
with
our
gopi
partners
using
its
theo.
A
We
both
are
working
as
a
sres
in
payments
arm
of
project
called
copay.
As
a
brief
introduction
go
check
is
a
super
app
which
basically
provides,
which
is
basically
a
tech
platform
that
provides
access
to
wide
range
of
services
like
transport,
payments,
for
delivery,
logistics,
etc.
A
A
Secondly,
we're
going
to
talk
about
how
we,
how
the
world
look
like
before
virtual
mtrs,
I'm
also
going
to
talk
about
how
we
implemented
our
mutual
dls
setup
in
increased
eps,
etc,
and
we're
also
going
to
talk
about
challenges
that
we
faced
and
the
future
work.
We
expect
to
do
after
this
now
we're
going
to
start
with
the
gopi
and
istio.
B
So
in
gopay
we
have
a
multiple
kubernetes
cluster,
more
than
250
micro
services,
3
000
deployment
every
week
and
150
million
api
calls
also.
We
have
both
res
and
grpc
services
and
we
have
also
service
written
in
golan
java,
clojure
and
ruby.
B
Basically,
gopay
has
been
using
grpc
since
2016,
and
we
decided
to
use
enfoy
and
console
before
to
migrate
fertile
surface
to
container,
because
it
have
ability
to
load
balance
traffic
between
the
vm
and
container
itself
over
time.
Managing
enfi
and
console
become
a
slightly
burdened
because
we
need
to
maintain
all
of
the
configuration
for
to
for
all
the
microservices
that
we
have.
B
A
Before
mutual
tls,
in
the
setup
that
we
had
with
our
groupie
partners,
was
either
use
vpn
or
use
basically
https
with
allow
listing.
Basically,
what
we
did
was
have
basically
stored,
netgate
ips
from
the
from
the
our
gopa
partner
and
then
allow
only
those
ips
to
connect
to
our
and
https
endpoints.
This
restricted
and
this
improves
the
security
of
our
endpoints,
and
we
knew
who
we
were
allowing
to
connect
to,
and
the
issue
with
this
approach
is
that
you
need
a
lot
of
maintenance
effort
in
terms
of
managing
those
endpoints.
A
So
in
case,
if
the
net
ips
of
our
group
departments
change,
we
need
to
update
those
endpoints
and
vice
versa.
If
we
need
to
do
the
same
thing
for
our
group
departments,
this
also
is
not
a
preferred
approach
suggested
from
our
security
team,
so
this
is
when
we
decided
that
we
want
to
move
away
from
this
and
move
to
mtls,
which
is
what
our
security
team
suggests.
A
This
also
allows
for
internal
attacks
if
the
ips
can
be
changed,
and
that
is
not
what
we
wanted
so
now
we
will
move
on
to
implementing
mutual
dls.
The
first
step
was,
we
wanted.
We
have
the
service
questions,
provide
certificate
management
service
that
is
responsible
for
maintaining
our
mdls
certificates,
renewing
those
certificates
and
updating
those
certificates
back
into
our
basically
services.
A
B
Okay,
so
our
mutual
or
mutual
setup
in
istio,
it's
divided
into
two
parts.
The
first
is
ingress
and
address
traffic
so
for
invest.
Traffic
to
our
cluster,
basically
is
external
client
calling
our
services
using
mutual
telus.
B
We
use
gateway
mechanism
with
mod
mutual.
Also,
we
leverage
subject
alter
alternative
name
in
the
gateway,
manifest
to
verify
the
client
side.
In
case
we
are
using
public
certificate
and
we
also
can
have
additional
ipl
listing
if
necessary,
in
this
setup
for
address
traffic.
We
are
using
address
cell
as
origination
concept
from
istio,
so
the
client
in
this
case
only
need
to
talk
with
http
protocol
and
the
istiocar
will
automatically
upgrade
the
connection.
The
http
connection
to
mutual
telus
traffic
add
the
certificate
automatically.
B
B
Also
in
the
future
work
we
plan
to
be
getting
the
address
style
as
origination
mechanism
to
use
address
gateway,
because
we
do
not
need
to
mount
the
certificate
directly
into
the
sector
and
just
let
the
advanced
gateway
handle
the
certificate
itself.