Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Supports mTLS scenario with APIRule #808

Open
11 tasks
adriil opened this issue Jan 10, 2024 · 4 comments
Open
11 tasks

Supports mTLS scenario with APIRule #808

adriil opened this issue Jan 10, 2024 · 4 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@adriil
Copy link

adriil commented Jan 10, 2024

Description

Hi team,

Today, if we want to expose our service with mTLS (as documented here), we need to use an Istio's VirtualService.
Could we make Kyma natively supporting the mTLS use case with APIRule ?

Reasons

  • Use only Kyma APIRule for both JWT and TLS scenario

DoD:

  • Create a follow-up issue.
  • Provide unit tests.
  • Provide integration tests.
  • Provide documentation.
  • Test on a production-like environment.
  • Verify if the solution works for both open-source Kyma and SAP BTP, Kyma runtime.
  • Check the outcome of all related pipelines.
  • Verify resource limits.
  • As a PR reviewer, verify code coverage and evaluate if it is acceptable.
  • Create a release.
  • Add release notes and What's New notes for Kyma customers.

Attachments

@adriil adriil added the kind/feature Categorizes issue or PR as related to a new feature. label Jan 10, 2024
@Ressetkk
Copy link
Contributor

Hello @adriil would you like to give more information about your use-case? What do you exactly need to modify in the VirtualService to get mTLS working? Recently I've updated the documentation how to set up mTLS gateway. You can check out if this tutorial can give you more insights. https://github.com/kyma-project/api-gateway/blob/main/docs/user/tutorials/01-30-set-up-mtls-gateway.md

@adriil
Copy link
Author

adriil commented Feb 22, 2024

Hi @Ressetkk,
Thank you for your documentation, this seems to be exactly what I needed indeed.
In my use case, I need to forward the SSL information to the app, so my VirtualService looks like this :

cat <<EOF | kubectl apply -f - 
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: httpbin-vs
  namespace: ${NAMESPACE}
spec:
  hosts:
  - "httpbin-vs.${DOMAIN_TO_EXPOSE_WORKLOADS}"
  gateways:
  - ${MTLS_GATEWAY_NAME}
  http:
  - route:
    - destination:
        port:
          number: 8000
        host: httpbin
      headers:
        request:
          set:
            X-CLIENT-SSL-CN: "%DOWNSTREAM_PEER_SUBJECT%"
            X-CLIENT-SSL-SAN: "%DOWNSTREAM_PEER_URI_SAN%"
            X-CLIENT-SSL-ISSUER: "%DOWNSTREAM_PEER_ISSUER%"
EOF

Is the header forwarding something APIRule supports ?

@Ressetkk
Copy link
Contributor

Now I get what you were looking for!
Unfortunately APIRule does not support setting custom headers in requests yet, and to support such use-case you'll have to use VirtualService directly, unfortunately.
We'll discuss the possibility of implementing this feature in future versions of api-gateway. I'll create a follow-up issue for this feature. We are also open for contributions!

I'm sorry I cannot help you much more right now.

@strekm
Copy link
Contributor

strekm commented Sep 5, 2024

actually it should be supported by mutators in APIRule v1* and request modifiers in APIRule v2*. @adriil mentioned tutorial also is creating Istio AuthorizationPolicy. you would expect it to be created by APIRule too, right?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Development

No branches or pull requests

3 participants