Closed oluwaseyeayinla closed 2 years ago
Initial thoughts:
I assume that we will store upstream certs & pinned public keys inside K8s secrets. Then we would need to dynamically load these into Tyk's certificate storage as we do with Ingress.
When a certificate is rotated / deleted, we would then need to update the certificate hashes inside each api definition object that references it.
Is it possible to use this feature by referencing the secret from the api definition object? Would it ever be desirable to hardcode a certificate ID?
Do not forget that we have 2 mTLS options. First is when you whitelist certificates in API, and second is more dynamic, when you create API keys based on certificates.
If in first approach you can try to use k8s for certificate storage, in second, Operator at the moment do not manage Keys, and users have to rely on Tyk certificate storage.
SLA client is requesting the addition of the support for Gateway to upstream mTLS configuration parameters in the Tyk Operator