add dataplane explanation

neal-timpe · neal-timpe · commit 6fe8ec98ed39 · 2021-03-10T15:28:52.000-05:00
diff --git a/modules/ossm-security-mtls-1x.adoc b/modules/ossm-security-mtls-1x.adoc
@@ -7,7 +7,7 @@
 
 Mutual Transport Layer Security (mTLS) is a protocol where two parties authenticate each other. It is the default mode of authentication in some protocols (IKE, SSH) and optional in others (TLS).
 
-MTLS can be used without changes to the application or service code. The TLS is handled entirely by the service mesh infrastructure and between the two sidecar proxies.
+mTLS can be used without changes to the application or service code. The TLS is handled entirely by the service mesh infrastructure and between the two sidecar proxies.
 
 By default, {ProductName} is set to permissive mode, where the sidecars in {ProductShortName} accept both plain-text traffic and connections that are encrypted using mTLS. If a service in your mesh is communicating with a service outside the mesh, strict mTLS could break communication between those services. Use permissive mode while you migrate your workloads to {ProductShortName}.
 
diff --git a/modules/ossm-security-mtls.adoc b/modules/ossm-security-mtls.adoc
@@ -5,16 +5,16 @@
 [id="ossm-security-mtls_{context}"]
 = Enabling mutual Transport Layer Security (mTLS)
 
-Mutual Transport Layer Security (mTLS) is a protocol where two parties authenticate each other. It is the default mode of authentication in some protocols (IKE, SSH) and optional in others (TLS).
+Mutual Transport Layer Security (mTLS) is a protocol where two parties authenticate each other. It is the default mode of authentication in some protocols (IKE, SSH) and optional in others (TLS). mTLS can be used without changes to the application or service code. The TLS is handled entirely by the service mesh infrastructure and between the two sidecar proxies.
 
-MTLS can be used without changes to the application or service code. The TLS is handled entirely by the service mesh infrastructure and between the two sidecar proxies.
+By default, mTLS in {ProductName} is enabled and set to permissive mode, where the sidecars in {ProductShortName} accept both plain-text traffic and connections that are encrypted using mTLS. If a service in your mesh is communicating with a service outside the mesh, strict mTLS could break communication between those services. Use permissive mode while you migrate your workloads to {ProductShortName}. Then, you can enable strict mTLS across your mesh, namespace, or application.
 
-By default, {ProductName} is set to permissive mode, where the sidecars in {ProductShortName} accept both plain-text traffic and connections that are encrypted using mTLS. If a service in your mesh is communicating with a service outside the mesh, strict mTLS could break communication between those services. Use permissive mode while you migrate your workloads to {ProductShortName}.
+Enabling mTLS across your mesh at the control plane level secures all the traffic in your mesh without rewriting your applications and workflows. You can secure namespaces in your mesh at the data plane level in the `ServiceMeshControlPlane` resource or at the application level with `PeerAuthentication` and `DestinationRule` resources to configure how incoming and outgoing connections encrypt traffic. 
 
 [id="ossm-security-enabling-strict-mtls_{context}"]
 == Enabling strict mTLS across the mesh
 
-You can quickly enable mTLS across your mesh if your workloads do not communicate with outside services, and communication will not be interrupted by accepting only encrypted connections. Set `spec.security.controlPlane.mtls` to `true` in your `ServiceMeshControlPlane` resource. The operator creates the required resources.
+You can quickly enable mTLS across your mesh if your workloads do not communicate with outside services, and communication will not be interrupted by accepting only encrypted connections. mTLS for all data plane communication is disabled by default. You can enable it by setting `spec.security.dataPlane.mtls` to `true` in the `ServiceMeshControlPlane` resource. The Operator creates the required resources.
 
 [source,yaml]
 ----
@@ -23,10 +23,26 @@ kind: ServiceMeshControlPlane
 spec:
   version: v2.0
   security:
-    controlPlane:
+    dataPlane:
       mtls: true
 ----
 
+You can also enable mTLS by using the {product-title} web console.
+
+.Procedure
+
+. Log in to the web console.
+
+. Click the *Project* menu and choose the `istio-system` project from the list.
+
+. Click *Operators* -> *Installed Operators*.
+
+. Click on *Service Mesh Control Plane* under *Provided APIs*.
+
+. Click the name of your `ServiceMeshControlPlane` resource, for example, `production`.
+
+. On the Details page, click the toggle in the *Security* section for *Data Plane Security*.
+
 [id="ossm-security-mtls-sidecars-incoming-services_{context}"]
 === Configuring sidecars for incoming connections for specific services
 
@@ -44,6 +60,11 @@ spec:
     mode: STRICT
 ----
 
+[NOTE]
+====
+If you are not using automatic mTLS and you are setting PeerAuthentication to STRICT, you must create a `DestinationRule` resource for your service.
+====
+
 [id="ossm-security-mtls-sidecars-outgoing_{context}"]
 == Configuring sidecars for outgoing connections
 
@@ -99,3 +120,19 @@ The default is `TLS_AUTO` and does not specify a version of TLS.
 |`TLSv1_3`
 |TLS version 1.3
 |===
+
+[id="ossm-security-enabling-controlplane_{context}"]
+== Enabling strict mTLS for Mixer telemetry or policy components
+
+Secure connections are always used when proxies communicate with the control plane regardless of the `spec.security.controlPlane.mtls` setting. If you use Mixer telemetry or policy, set `spec.security.controlPlane.mtls` to `true` in your `ServiceMeshControlPlane` resource to enable strict mTLS.
+
+[source,yaml]
+----
+apiVersion: maistra.io/v2
+kind: ServiceMeshControlPlane
+spec:
+  version: v2.0
+  security:
+    controlPlane:
+      mtls: true
+----
