This tutorial shows how to expose and secure a workload with mutual authentication using TLS Gateway.

Prerequisites

• Deploy a sample HttpBin service and sample Function.
• Set up your custom domain.
• Set up a mutual TLS Gateway and export the bundle certificates.
• To learn how to create your own self-signed Client Root CA and Certificate, see this tutorial. This step is optional.

Authorize a client with a certificate

The following instructions describe how to secure an mTLS service or a Function.

NOTE: Create AuthorizationPolicy to check if the client's common name in the certificate matches.

1. Export the following values as environment variables:

   Click to copy

   export CLIENT_ROOT_CA_CRT_FILE={CLIENT_ROOT_CA_CRT_FILE}
   export CLIENT_CERT_CN={COMMON_NAME}
   export CLIENT_CERT_ORG={ORGANIZATION}
   export CLIENT_CERT_CRT_FILE={CLIENT_CERT_CRT_FILE}
   export CLIENT_CERT_KEY_FILE={CLIENT_CERT_KEY_FILE}

2. Create VirtualService that adds the X-CLIENT-SSL headers to incoming requests:

3. Create AuthorizationPolicy that verifies if the request contains a client certificate:

4. Call the secured endpoints of the HttpBin service or the secured Function.