Istio mTLS flow

Question

I am little confused about the mTLS flow of istio. In the bookinginfo example, I see that services are doing calls over http instead of https. If there is mTLS between services then service make http calls?

Can it be that HTTP from service goes to envoy proxy which converts it into https? But, then in envoy-proxy logs of server, I see http in logs.

Can any body please explain how this works?

Regards

Answer 1

HTTP from service goes to envoy proxy which converts it into https

Correct, but only if you enable this feature in Istio. To enable it, see the installation step 5 in https://istio.io/docs/setup/kubernetes/quick-start.html#installation-steps:

Install Istio and enable mutual TLS authentication between sidecars:

kubectl apply -f install/kubernetes/istio-auth.yaml

You may also want to read about testing this feature: https://istio.io/docs/tasks/security/mutual-tls.html .