🔒 mTLS Tutorial

In this tutorial I am going to show how to configure mTLS for a service using envoy.

Minkube

This tutorial is going to use minikube to deploy the service. So make sure to have it installed, and your kubectl (with kustomize) is pointing to your minikube cluster.

Run minikube

> minikube start
> kubectl config get-contexts
> kubectl config set-context minikube

🗣 Deployment An echo-server With mTLS

Generate certificate

We need to generate the Certificate Authority, sign the server and client certificates. We can use the provided script to generate the certificates by running:

> sh generate-ca-and-server-certs.sh
> sh generate-clients-certs.sh

After running the script, the following files should have been generated:

• ca.crt: The Root Certificate Authority certificate, that is going to be used to verify the requests.

• cert.pem: The intermediate certificate

• key.pem: The private server key

• client.crt: The client certificate

• client.key: The client private key

Deploy the echo-server/envoy

Let's deploy an echo-server, by running the following commands:

> kubectl apply -k ./echoserver
> minikube tunnel

This creates all the Kubernetes resources needed to deploy echo-server/envoy with mTLS.

If everything is successful, we should have two endpoints available:

• localhost:8082: This endpoint does not have mTLS and it's just to check that the echo-server is deployed.
• localhost:8080: This endpoint is protected through mTLS and we should not be able to access it. You should not get a response at localhost:8080 because we did not add the client certificates in our request.

To test the client certificates using cURL:

curl -k -v --cacert <path_to_project>/echoserver/certs/ca.crt --cert <path_to_project>/echoserver/certs/client.crt --key <path_to_project>/echoserver/certs/client.key https://localhost:8080

Echo-server Configuration

TODO: PlantUml of what it's deployed

📘 Resources

• minikube
• kubectl
• kustomize
• mTLS
• envoy
• cURL