NTA with Istio Service Mesh

This document is for:

Invicti Enterprise On-Demand, Invicti Enterprise On-Premises

This feature is available with Invicti API Security Standalone or Bundle.

This document explains how to install and configure the Invicti Network Traffic Analyzer (NTA) with Istio Service Mesh in your Kubernetes cluster to capture both HTTP and HTTPS traffic and reconstruct OpenAPI3 specification files.

Prerequisites

A Kubernetes cluster
Helm CLI installed (version 3+)
kubectl configured for your cluster (e.g., using Get-AksHciCredential)
A Kubernetes namespace created for Invicti NTA
Istio Service Mesh installed and running in your cluster

Minimum System Requirements

1 GB RAM
2-core 64-bit CPU
2 GB available HDD

Overview

There are two ways to capture Kubernetes traffic with the Invicti NTA:

Integrating with Istio Service Mesh (captures both HTTP & HTTPS traffic): This method is described in this document and leverages the Istio Envoy proxy with WASM filters to inspect encrypted (HTTPS) and unencrypted (HTTP) traffic. This document focuses on configuring Invicti NTA for this integration.

Integrating with a Kubernetes namespace interface natively (captures HTTP traffic only): This method uses the Tap Plugin to monitor unencrypted traffic within a Kubernetes namespace. It does not support HTTPS traffic unless combined with Istio. Details for this setup are covered in the NTA with Tap Plugin documentation.

Installation steps

The Invicti NTA Helm chart includes:

Reconstructor – Processes captured traffic and generates OpenAPI3 specification files.

Istio Service Mesh Envoy – Captures both HTTP and HTTPS traffic by integrating with Istio's Envoy proxy. This is essential for environments using Istio to handle encrypted traffic (HTTPS) through the Envoy proxy and WebAssembly (WASM) filters.

Step 1: Retrieve Registration token and password

Log in to Invicti Enterprise.
Select APIs > Sources from the left side menu and click Add new source.

Enter a name and select Invicti Network Traffic Analyzer.

In the NTA server url field, enter the URL of the server where the Invicti Enterprise web app is running. The default entry is the current host URL from the browser. It must be externally accessible.

IMPORTANT:

The Invicti NTA must be able to reach the URL you enter into this field. You cannot use 'localhost'. The NTA Server URL you provide will be embedded in the token you will generate in the next step.

Click Generate token and copy it. Paste the copied registration token in a place where you will be able to retrieve it easily when you prepare the installation command in step 2.

Select Save at the bottom of the page. Do not skip this step!

Select Agents > Manage Agents from the left-side menu.

Click + Configure New Agent.

In the Docker CLI & Openshift section, click the copy icon next to 2- When prompted, enter the password below. This is the password you will use to access Invicti's public registry.

Paste the copied password in a place where you will be able to retrieve it easily in step 2 when you prepare the installation command.

Step 2: Authenticate with the Invicti Registry

Launch the Helm CLI that was set up during the prerequisites.
Then run the following command:

helm registry login registry.invicti.com

Username: Your Invicti Enterprise email
Password: Copied from Step 1 point 9 above

Step 3: Label target namespace

Before deploying, label the namespace to enable Istio sidecar injection:

kubectl label namespace <your-namespace> istio-injection=enabled

Step 4: Prepare and deploy the Invicti Helm chart

In your Helm CLI or terminal, run the following command to install Invicti NTA into your Kubernetes cluster:

helm install invicti-api-discovery oci://registry.invicti.com/invicti-api-discovery --version 25.4.0 -n default --set imageRegistryUsername=email-address --set imageRegistryPassword=password --set reconstructor.JWT_TOKEN="registration-token" --set trafficSource.envoyWasm.enabled=true --set trafficSource.envoyWasm.namespaces="your-namespace"

🔧 Replace the following placeholders with your actual credentials:

default: Replace with the Kubernetes namespace where you want to install Invicti NTA. This should also be the namespace watched by Envoy.
email-address: Replace with your Invicti Enterprise email address
password: Replace with the password copied in Step 1.9.
registration-token: The registration token from Step 1.5. Keep it enclosed in double quotes.
your-namespace: The target namespace (should be separate from your application namespace). This namespace does not require istio-injection=enabled.

Run the command to install Invicti NTA in your specified namespace and enable Envoy WASM filters to monitor traffic within that namespace.

Step 5: Verify the installation (optional)

To ensure that the installation was successful and the components are running properly:

Run the following command to check the pod status:

kubectl get pods -n <your-namespace>

Confirm that all pods (e.g., tap, reconstructor) are not in CrashLoopBackOff or Error states.
If any pods are not running properly, investigate their logs with:

kubectl logs <pod-name> -n <your-namespace>

🔧 Copy and paste the pod-name from the `kubectl get pods -n <your-namespace> ` output.

If everything looks good, your Invicti NTA with Istio Service Mesh is now successfully capturing and analyzing traffic in your Kubernetes cluster.

Update or Reinstall Invicti NTA with Istio

Retrieve the latest registration token and password as outlined in the standard Invicti token generation procedure.
Log in to the Invicti registry as in step 3 above.
Prepare and run the update command:

helm upgrade --install invicti-api-discovery oci://registry.invicti.com/invicti-api-discovery --version 25.4.0 -n default --set trafficSource.envoyWasm.enabled=true --set imageRegistryUsername=email-address --set imageRegistryPassword=password --set reconstructor.JWT_TOKEN="registration-token" --set trafficSource.envoyWasm.namespaces="your-namespace"