search

TykTechnologies / tyk-operator

Tyk Operator for Kubernetes
https://tyk.io
Mozilla Public License 2.0
197 stars 38 forks source link

Gateway to upstream mTLS support in the Tyk Operator #342

Closed oluwaseyeayinla closed 2 years ago

oluwaseyeayinla commented 3 years ago

SLA client is requesting the addition of the support for Gateway to upstream mTLS configuration parameters in the Tyk Operator

asoorm commented 3 years ago

Initial thoughts:

I assume that we will store upstream certs & pinned public keys inside K8s secrets. Then we would need to dynamically load these into Tyk's certificate storage as we do with Ingress.

When a certificate is rotated / deleted, we would then need to update the certificate hashes inside each api definition object that references it.

Is it possible to use this feature by referencing the secret from the api definition object? Would it ever be desirable to hardcode a certificate ID?

buger commented 3 years ago

Do not forget that we have 2 mTLS options. First is when you whitelist certificates in API, and second is more dynamic, when you create API keys based on certificates.

If in first approach you can try to use k8s for certificate storage, in second, Operator at the moment do not manage Keys, and users have to rely on Tyk certificate storage.