Skip to content

Configure mTLS between the Gateway and Kuadrant components

Overview

This guide includes manual steps to enable mTLS between an Istio provided gateway and the Kuadrant data plane components. If you use an AuthPolicy or RateLimitPolicy, there will be communication between the gateway and the respective Kuadrant components at request time. This communication happens between the Wasm plugin in Envoy proxy, and Authorino or Limitador. At the time of writing there is an RFC discussing how to add mTLS capabilities as a feature of the Kuadrant operator. If you are interested in having that feature or influencing how it is delivered, please engage on that pull request.

Note

This method currently only works if the Gateway is provided by Istio, with service mesh capabilities enabled across the cluster. For example, the Istio CNI agent is running on each node.

Prerequisites

  • Have Istio as the Gateway API provider installed.
  • You have installed Kuadrant in a Kubernetes cluster.

Enabling mTLS

In order to ensure that communications between the gateway and the kuadrant data plane components are secured, set kuadrant's custom resource spec.mtls.enable field to true.

Example:

apiVersion: kuadrant.io/v1beta1
kind: Kuadrant
metadata:
  name: kuadrant-sample
spec:
  mtls:
    enable: true

Note

In the absence of AuthPolicy or RateLimitPolicy, the gateway does not communicate with kuadrant data plane components. Hence, enabling mTLS is useless.

Note

Behind the scenes, kuadrant will create a PeerAuthentication resource where the mtls mode is set to STRICT.

Disabling mTLS

To disable mTLS, either set kuadrant's custom resource spec.mtls.enable field to false or just remove optional spec.mtls field.

Example:

apiVersion: kuadrant.io/v1beta1
kind: Kuadrant
metadata:
  name: kuadrant-sample
spec:
  mtls: null