Merge pull request #22477 from neal-timpe/securityassembly

security assembly and mtls

Author: JStickler

_topic_map.yml

@@ -1445,10 +1445,8 @@ Topics:
     File: ossm-traffic-manage
   - Name: Data visualization and observability
     File: ossm-observability
-#  - Name: Grafana tutorial
-#    File: ossm-tutorial-grafana
-#  - Name: Prometheus tutorial
-#    File: ossm-tutorial-prometheus
+  - Name: Security
+    File: ossm-security
 - Name: Support
   Dir: service_mesh_support
   Topics:

modules/ossm-security-mtls.adoc

@@ -0,0 +1,63 @@
+// Module included in the following assemblies:
+//
+// * service_mesh/service_mesh_user_guide/ossm-security.adoc
+
+[id="ossm-security-mtls_{context}"]
+= Enabling mutual Transport Layer Security (mTLS)
+
+Mutual Transport Layer Security (mTLS) is a protocol where two parties authenticate each other at the same time. It is the default mode of authentication in some protocols (IKE, SSH) and optional in others (TLS).
+
+MTLS can be used without changes to the application or service code. The TLS is handled entirely by the service mesh infrastructure and between the two sidecar proxies.
+
+By default, {ProductName} is set to permissive mode, where the sidecars in {ProductShortName} accept both plain-text traffic and connections that are encrypted using mTLS. If a service in your mesh is communicating with a service outside the mesh, strict mTLS could break communication between those services. Use permissive mode while you migrate your workloads to {ProductShortName}.
+
+== Enabling strict mTLS across the mesh
+
+If your workloads do not communicate with services outside your mesh and communication will not be interrupted by only accepting encrypted connections, you can enable mTLS across your mesh quickly. Set `spec.istio.global.mtls.enabled` to `true` in your ServiceMeshControlPlane resource. The operator creates the required resources.
+
+[source,yaml]
+----
+apiVersion: maistra.io/v1
+kind: ServiceMeshControlPlane
+spec:
+  istio:
+    global:
+      mtls:
+        enabled: true
+----
+
+[id="ossm-security-mtls-sidecars-incoming-services_{context}"]
+=== Configuring sidecars for incoming connections for specific services
+
+You can also configure mTLS for individual services or namespaces by creating a policy.
+
+[source,yaml]
+----
+apiVersion: "authentication.maistra.io/v1"
+kind: "Policy"
+metadata:
+  name: "default"
+  namespace: <NAMESPACE>
+spec:
+  peers:
+  - mtls: {}
+----
+
+[id="ossm-security-mtls-sidecars-outgoing_{context}"]
+== Configuring sidecars for outgoing connections
+
+Create a destination rule to configure {ProductShortName} to use mTLS when sending requests to other services in the mesh.
+
+[source,yaml]
+----
+apiVersion: "networking.istio.io/v1alpha3"
+kind: "DestinationRule"
+metadata:
+  name: "default"
+  namespace: <CONTROL_PLANE_NAMESPACE>
+spec:
+  host: "*.local"
+  trafficPolicy:
+    tls:
+      mode: ISTIO_MUTUAL
+----

service_mesh/service_mesh_user_guide/ossm-security.adoc

@@ -0,0 +1,10 @@
+[id="ossm-security"]
+= Customizing security in a Service Mesh
+include::modules/ossm-document-attributes.adoc[]
+:context: ossm-security
+
+toc::[]
+
+If your service mesh application is constructed with a complex array of microservices, you can use {ProductName} to customize the security of the communication between those services. The infrastructure of {product-title} along with the traffic management features of {ProductShortName} can help you manage the complexity of your applications and provide service and identity security for microservices.
+
+include::modules/ossm-security-mtls.adoc[leveloffset=+1]