Open adriil opened 6 months ago
Ressetkk
commented
4 months ago Hello @adriil would you like to give more information about your use-case? What do you exactly need to modify in the VirtualService to get mTLS working? Recently I've updated the documentation how to set up mTLS gateway. You can check out if this tutorial can give you more insights. https://github.com/kyma-project/api-gateway/blob/main/docs/user/tutorials/01-30-set-up-mtls-gateway.md
adriil
commented
4 months ago Hi @Ressetkk,
Thank you for your documentation, this seems to be exactly what I needed indeed.
In my use case, I need to forward the SSL information to the app, so my VirtualService looks like this :
cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin-vs
namespace: ${NAMESPACE}
spec:
hosts:
- "httpbin-vs.${DOMAIN_TO_EXPOSE_WORKLOADS}"
gateways:
- ${MTLS_GATEWAY_NAME}
http:
- route:
- destination:
port:
number: 8000
host: httpbin
headers:
request:
set:
X-CLIENT-SSL-CN: "%DOWNSTREAM_PEER_SUBJECT%"
X-CLIENT-SSL-SAN: "%DOWNSTREAM_PEER_URI_SAN%"
X-CLIENT-SSL-ISSUER: "%DOWNSTREAM_PEER_ISSUER%"
EOFIs the header forwarding something APIRule supports ?
Ressetkk
commented
4 months ago Now I get what you were looking for! Unfortunately APIRule does not support setting custom headers in requests yet, and to support such use-case you'll have to use VirtualService directly, unfortunately. We'll discuss the possibility of implementing this feature in future versions of api-gateway. I'll create a follow-up issue for this feature. We are also open for contributions!
I'm sorry I cannot help you much more right now.
Description
Hi team,
Today, if we want to expose our service with mTLS (as documented here), we need to use an Istio's
VirtualService. Could we make Kyma natively supporting the mTLS use case withAPIRule?Reasons
APIRulefor both JWT and TLS scenarioDoD:
Attachments