TSB supports specifying TLS or mTLS parameters for securing communication to external auth servers. This document will show you how to configure TLS validation for an external authorization server by adding a CA certificate to the authorization configuration.
Before you get started, make sure you:
✓ Familiarize yourself with TSB concepts
✓ Install the TSB environment. You can use TSB demo for quick install
✓ Completed TSB usage quickstart. This document assumes you already created Tenant and are familiar with Workspace and Config Groups. Also you need to configure tctl to your TSB environment.
The examples in this document will build on top of "Configuring External Authorization in Ingress Gateways". Make sure to have completed that document before proceeding, and note that you will be working on the namespace
Create TLS certificate
To enable TLS for Ingress Gateway to authorization service traffic, you must have a TLS certificate. This document assumes you already have TLS certificates which usually include server certificate and private key along with the CA as root certificate that will be used by the client. This document use following files
authz.crtas server certificate
authz.keyas certificate private key
authz-ca.crtas CA certificate
If you decide to use other file names, please replace them accordingly throughout the examples below.
For the purpose of example, you can create self signed certificates using this scripts.
Once you have the files, create Kubernetes secret using server certificate and private key.
kubectl create secret tls -n httpbin opa-certs \
You will also need the CA certificate in to validate the TLS connection.
authz-ca that will contain the CA certificate:
kubectl create configmap -n httpbin authz-ca \
Deploy Authorization Service with TLS certificate
Follow the instructions in "Installing Open Policy Agent in TSB" to setup an instance OPA with a sidecar proxy that terminates TLS.
Modify Ingress Gateway
You will need to add CA certificate to the Ingress Gateway to validate the TLS connection.
Create a file named
httpbing-ingress-gateway.yaml with the following contents. This manifest adds overlays to read the
authz-ca that contains the CA certificates to the Ingress Gateway deployment.
- apiVersion: apps/v1
- path: spec.template.spec.volumes[-1]
- path: spec.template.spec.containers.[name:istio-proxy].volumeMounts[-1]
Apply with kubectl:
kubectl apply -f httpbin-ingress-gateway.yaml
Then update the Ingress Gateway configuration to enable TLS validation:
- name: httpbin
Apply with tctl
tctl apply -f ext-authz-ingress-gateway-tls.yaml
You can use the same testing steps as shown in "Configuring External Authorization in Ingress Gateways"