Open adriil opened 6 months ago
Hello @adriil would you like to give more information about your use-case? What do you exactly need to modify in the VirtualService to get mTLS working? Recently I've updated the documentation how to set up mTLS gateway. You can check out if this tutorial can give you more insights. https://github.com/kyma-project/api-gateway/blob/main/docs/user/tutorials/01-30-set-up-mtls-gateway.md
Hi @Ressetkk,
Thank you for your documentation, this seems to be exactly what I needed indeed.
In my use case, I need to forward the SSL information to the app, so my VirtualService
looks like this :
cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin-vs
namespace: ${NAMESPACE}
spec:
hosts:
- "httpbin-vs.${DOMAIN_TO_EXPOSE_WORKLOADS}"
gateways:
- ${MTLS_GATEWAY_NAME}
http:
- route:
- destination:
port:
number: 8000
host: httpbin
headers:
request:
set:
X-CLIENT-SSL-CN: "%DOWNSTREAM_PEER_SUBJECT%"
X-CLIENT-SSL-SAN: "%DOWNSTREAM_PEER_URI_SAN%"
X-CLIENT-SSL-ISSUER: "%DOWNSTREAM_PEER_ISSUER%"
EOF
Is the header forwarding something APIRule supports ?
Now I get what you were looking for! Unfortunately APIRule does not support setting custom headers in requests yet, and to support such use-case you'll have to use VirtualService directly, unfortunately. We'll discuss the possibility of implementing this feature in future versions of api-gateway. I'll create a follow-up issue for this feature. We are also open for contributions!
I'm sorry I cannot help you much more right now.
Description
Hi team,
Today, if we want to expose our service with mTLS (as documented here), we need to use an Istio's
VirtualService
. Could we make Kyma natively supporting the mTLS use case withAPIRule
?Reasons
APIRule
for both JWT and TLS scenarioDoD:
Attachments