Configure mTLS between the Gateway and Kuadrant components¶
Overview¶
This guide includes manual steps to enable mTLS between an Istio provided gateway and the Kuadrant data plane components. If you use an AuthPolicy or RateLimitPolicy, there will be communication between the gateway and the respective Kuadrant components at request time. This communication happens between the Wasm plugin in Envoy proxy, and Authorino or Limitador. At the time of writing there is an RFC discussing how to add mTLS capabilities as a feature of the Kuadrant operator. If you are interested in having that feature or influencing how it is delivered, please engage on that pull request.
Note
This method currently only works if the Gateway is provided by Istio, with service mesh capabilities enabled across the cluster. For example, the Istio CNI agent is running on each node.
Prerequisites¶
- Have Istio as the Gateway API provider installed.
- You have installed Kuadrant in a Kubernetes cluster.
Enabling mTLS¶
In order to ensure that communications between the gateway and the kuadrant data plane components are secured,
set kuadrant's custom resource spec.mtls.enable
field to true
.
Example:
apiVersion: kuadrant.io/v1beta1
kind: Kuadrant
metadata:
name: kuadrant-sample
spec:
mtls:
enable: true
Note
In the absence of AuthPolicy or RateLimitPolicy, the gateway does not communicate with kuadrant data plane components. Hence, enabling mTLS is useless.
Note
Behind the scenes, kuadrant will create a PeerAuthentication resource where the mtls
mode is set to STRICT
.
Disabling mTLS¶
To disable mTLS, either set kuadrant's custom resource spec.mtls.enable
field to false
or just remove optional spec.mtls
field.
Example: