Expose and secure a workload with a certificate

This tutorial shows how to expose and secure a workload with mutual authentication using TLS Gateway.

Prerequisites

Authorize a client with a certificate

The following instructions describe how to secure an mTLS service or a Function.

NOTE: Create AuthorizationPolicy to check if the client's common name in the certificate matches.

  1. Export the following values as environment variables:

    Click to copy
    export CLIENT_ROOT_CA_CRT_FILE={CLIENT_ROOT_CA_CRT_FILE}
    export CLIENT_CERT_CN={COMMON_NAME}
    export CLIENT_CERT_ORG={ORGANIZATION}
    export CLIENT_CERT_CRT_FILE={CLIENT_CERT_CRT_FILE}
    export CLIENT_CERT_KEY_FILE={CLIENT_CERT_KEY_FILE}
  2. Create VirtualService that adds the X-CLIENT-SSL headers to incoming requests:

  • HttpBin
  • Function
  1. Create AuthorizationPolicy that verifies if the request contains a client certificate:

  • HttpBin
  • Function
  1. Call the secured endpoints of the HttpBin service or the secured Function.
  • HttpBin
  • Function