TLS with mandatory mutual authentication is the gold standard for communication in distributed applications and forms the backbone of a Zero Trust Network. Envoy can do it for you with no application code changes, but if you just “turn it on” in a live production cluster you’ll quickly find you have a major disruption on your hand.
In this presentation, Spike will explain and demonstrate how to take a production cluster from a completely unencrypted to fully secured without dropping traffic. The demonstration will use Istio, but Spike will explain conceptually and cover the Envoy config changes being made in each step so the techniques can be applied to any Envoy service mesh.
Spike Curtis is a software developer at Tigera. He co-leads the Istio Security Working Group and is a contributing author of SPIFFE specifications. He is also a core developer for Calico.
