Package: Invicti AppSec Core (on-demand)
NTA with Istio Service Mesh
This document explains how to install and configure the Invicti Network Traffic Analyzer (NTA) with Istio Service Mesh in your Kubernetes cluster to capture both HTTP and HTTPS traffic and reconstruct OpenAPI3 specification files.
Why this matters
If your Kubernetes services use Istio Service Mesh, the NTA can capture both HTTP and HTTPS traffic - giving you visibility into encrypted API calls that other methods miss. Without this setup, HTTPS traffic flows through Envoy encrypted and unobservable, leaving gaps in your API catalog.
Prerequisites
- A Kubernetes cluster
- Helm command-line tool installed (version 3+)
- kubectl configured for your cluster (for example, using Get-AksHciCredential)
- A Kubernetes namespace created for Invicti NTA
- Istio Service Mesh installed and running in your cluster
Minimum system requirements
- 1 GB RAM
- 2-core 64-bit CPU
- 2 GB available HDD
Overview
There are two ways to capture Kubernetes traffic with the Invicti NTA:
-
Integrating with Istio Service Mesh (captures both HTTP and HTTPS traffic): This method leverages the Istio Envoy proxy with WASM filters to inspect encrypted (HTTPS) and unencrypted (HTTP) traffic. This document focuses on configuring Invicti NTA for this integration.
-
Integrating with a Kubernetes namespace interface natively (captures HTTP traffic only): This method uses the Tap Plugin to monitor unencrypted traffic within a Kubernetes namespace and doesn't support HTTPS traffic unless combined with Istio. For details, refer to the NTA with Tap Plugin documentation.
Installation steps
The Invicti NTA Helm chart includes:
- Reconstructor - Processes captured traffic and generates OpenAPI3 specification files.
- Istio Service Mesh Envoy - Captures both HTTP and HTTPS traffic by integrating with Istio's Envoy proxy. This is essential for environments using Istio to handle encrypted traffic through the Envoy proxy and WebAssembly (WASM) filters.
Step 1: Retrieve the registration token
- Select Discovery > API sources from the left-side menu.
- Click Add source.
- Leave the import type as External platform.
- Enter a name for the source configuration. This helps you identify it later in your list of API sources.
- Select Invicti Network Traffic Analyzer as the source type.
- Click Generate token.
- Click the copy icon next to the newly generated registration token.
- Click Save at the bottom of the page. Don't skip this step.
Step 2: Authenticate with the Invicti Registry
Launch the Helm command-line tool and run the following command:
helm registry login registry.invicti.com
Username: your Invicti AppSec Core email
Password: your valid Invicti AppSec Core license key
Step 3: Label target namespace
Before deploying, label the namespace to enable Istio sidecar injection:
kubectl label namespace <your-namespace> istio-injection=enabled
Step 4: Prepare and deploy the Invicti Helm chart
Run the following command to install Invicti NTA into your Kubernetes cluster:
helm install invicti-api-discovery \
oci://registry.invicti.com/invicti-api-discovery \
--version 25.11 \ # Optional: omit to pull the latest version
-n default \
--set imageRegistryUsername=email-address \
--set imageRegistryPassword=password \
--set reconstructor.JWT_TOKEN="registration-token" \
--set trafficSource.envoyWasm.enabled=true \
--set trafficSource.envoyWasm.namespaces="your-namespace"
You can omit the --version parameter to automatically pull the latest chart version. To install a specific version, use --version X.X.X (for example, --version 25.11). Helm doesn't support --version latest syntax.
Replace the following placeholders with your actual credentials:
default: the Kubernetes namespace where you want to install Invicti NTA. This should also be the namespace watched by Envoy.email-address: your Invicti AppSec Core email address.password: your valid Invicti AppSec Core license key.registration-token: the registration token from step 1. Keep it enclosed in double quotes.your-namespace: the target namespace (should be separate from your application namespace). This namespace doesn't requireistio-injection=enabled.
Step 5: Verify the installation (optional)
To confirm the installation was successful and the components are running:
- Run the following command to check pod status:
kubectl get pods -n <your-namespace>
- Confirm that all pods (for example, tap, reconstructor) aren't in CrashLoopBackOff or Error states.
- If any pods aren't running properly, check their logs:
kubectl logs <pod-name> -n <your-namespace>
Copy the pod name from the kubectl get pods -n <your-namespace> output.
Update or reinstall Invicti NTA with Istio
- Retrieve the latest registration token and password using the standard token generation procedure in Step 1.
- Log in to the Invicti registry as in Step 2.
- Run the update command:
helm upgrade --install invicti-api-discovery \
oci://registry.invicti.com/invicti-api-discovery \
--version 25.11 \ # Optional: omit to pull the latest version
-n default \
--set trafficSource.envoyWasm.enabled=true \
--set imageRegistryUsername=email-address \
--set imageRegistryPassword=password \
--set reconstructor.JWT_TOKEN="registration-token" \
--set trafficSource.envoyWasm.namespaces="your-namespace"
You can omit the --version parameter to automatically pull the latest chart version. To install a specific version, use --version X.X.X (for example, --version 25.11). Helm doesn't support --version latest syntax.
Troubleshooting
Pods in CrashLoopBackOff or Error state
Run kubectl logs <pod-name> -n <your-namespace> to inspect the pod logs. Common causes are an invalid registration token, incorrect registry credentials, or a namespace labeling issue. Verify that istio-injection=enabled is set on the target namespace and that the token was copied correctly from step 1.
No specs appearing in the API catalog after installation
Check that the NTA source shows Sync completed on the Discovery > API sources page. If the status is Awaiting setup, the NTA hasn't sent its first heartbeat yet - allow a few minutes after installation. If the status is Token expired, generate a new registration token and update your NTA installation.
Helm install fails with authentication error
Confirm you're using your Invicti AppSec Core email as the username and your valid license key as the password when authenticating with helm registry login registry.invicti.com. License keys are case-sensitive.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center