Expose and secure a workload with a certificate
This tutorial shows how to expose and secure a workload with mutual authentication using TLS Gateway.
Prerequisites
- Deploy a sample HttpBin service and sample Function.
- Set up your custom domain.
- Set up a mutual TLS Gateway and export the bundle certificates.
- To learn how to create your own self-signed Client Root CA and Certificate, see this tutorial. This step is optional.
Authorize a client with a certificate
The following instructions describe how to secure an mTLS service or a Function.
NOTE: Create AuthorizationPolicy to check if the client's common name in the certificate matches.
Export the following values as environment variables:
Click to copyexport CLIENT_ROOT_CA_CRT_FILE={CLIENT_ROOT_CA_CRT_FILE}export CLIENT_CERT_CN={COMMON_NAME}export CLIENT_CERT_ORG={ORGANIZATION}export CLIENT_CERT_CRT_FILE={CLIENT_CERT_CRT_FILE}export CLIENT_CERT_KEY_FILE={CLIENT_CERT_KEY_FILE}Create VirtualService that adds the X-CLIENT-SSL headers to incoming requests:
- HttpBin
- Function
Create AuthorizationPolicy that verifies if the request contains a client certificate:
- HttpBin
- Function
- Call the secured endpoints of the HttpBin service or the secured Function.
- HttpBin
- Function