-1

Let's discuss about possible approach how to add mTLS (mutual TLS) support to existing infrastructue. But, firstly, let's describe the existing infrastracture.

There is a microservice-based system that handles http requests and does any business logic. The whole infrastructure is deployed in Google Cloud Platform and GKE. There is an API that is accessible via public DNS name and is exposed by GCP load balancer that terminates SSL and pass traffic to backend service B that is run in GKE cluster. B is just an application server that authenticates and authorizes requests basing on HTTP header.

Now, I want to add possibility to implement mTLS for some clients - that means that some client require mTLS to provide two-side authentication.

What is the best way to implement this in current infrastructure?

Below, image that depicts current infra: enter image description here

Gilgamesz
  • 4,727
  • 3
  • 28
  • 63

1 Answers1

0

i am not sure if you are using Ingress or so, you can create Self singed cert and use it for mTLS.

Have used the Cert-manager internally in GKE as CA authority also manages my certs.

The catch is that if you are using any servicemesh/ingress controller and checking mTLS cert that level (unlike me internally), cert must be passed to the client side or added in browser else the browser will give a CA Auth error at least.

If you are using ingress/mesh/gateway you can do it with annotations/config and enable it to Auth cert.

Harsh Manvar
  • 27,020
  • 6
  • 48
  • 102