Red Hat OpenShift Service Mesh (OSSM) - Security options with mTLS for egress edge traffic

Overview

The Service Mesh provides the option to boost application security with mTLS enabled traffic between in mesh application components and external (to the mesh) services. In the context of Service Mesh eggress edge traffic there are several configuration options for this security feature and in this article we have clearly listed below the options (including options for clear text traffic) along with a linked example to get hands-on expertise with each scenario.

# Scenario Notes
1 Secure traffic to another external service (could be another Service Mesh not managed with OSSM Federation)
1a Encrypted External Traffic via sidecar container
Variation 1: Un-Encrypted External Traffic via sidecar container (mTLS internal traffic PERMISSIVE)
Variation 2: Un-Encrypted External Traffic via sidecar container (mTLS internal traffic STRICT)
1b Encrypted External Traffic via egress gateway container
Un-Encrypted External Traffic via egress gateway container
1c Encrypted External Traffic directly from the App container
2 Secure Traffic to an external service on another federated Service Mesh (OSSM)
2a Encrypted federated Traffic directly from the Application Impossible by Design
Encrypted federated Traffic directly from the Application Impossible by Design (Unencrypted traffic is not possible in Federation by design
2b Encrypted federated Traffic via egress gateway
Encrypted federated Traffic via egress gateway Impossible by Design (Unencrypted traffic is not possible in Federation by design