Skip to main content
logoTetrate Service BridgeVersion: 1.10.x

Enforce Gateways to Services Traffic over mTLS

This doc will cover how to enforce Gateway to upstream services communication over mTLS, irrespective of whether the upstream services are sidecar injected or non-injected.

Before you get started, make sure:
✓ TSB is up and running, and GitOps has been enabled for the target cluster
✓ Familiarize yourself with TSB concepts
✓ Completed TSB usage quickstart. This document assumes you are familiar with Tenant Workspace and Config Groups.

Scenario

Consider an IngressGateway is deployed to route to multiple upstream services, one being sidecar injected i.e istio-injection enabled in the namespace, and another being non-injected.

Here we have 2 httpbin services deployed in 2 different namespaces. One sleep service is deployed in mesh namespace and another sleep service is deployed in non-mesh namespace. We have also deployed an IngressGateway with 2 separate routes exposed named /mesh and /non-mesh to route to corresponding mesh enabled and disabled services.

TSB Configuration

Create the TSB configurations like Tenant/Workspace/Group as shown below.

tsb-conf.yaml
apiVersion: api.tsb.tetrate.io/v2
kind: Tenant
metadata:
displayName: Research
name: research
organization: tetrate
spec:
displayName: Research
---
apiVersion: api.tsb.tetrate.io/v2
kind: Workspace
metadata:
name: mesh-ws
organization: tetrate
tenant: research
spec:
namespaceSelector:
names:
- cp-cluster-1/mesh
---
apiVersion: gateway.tsb.tetrate.io/v2
kind: Group
metadata:
name: mesh-gg
organization: tetrate
tenant: research
workspace: mesh-ws
spec:
namespaceSelector:
names:
- cp-cluster-1/mesh
---
apiVersion: traffic.tsb.tetrate.io/v2
kind: Group
metadata:
name: mesh-tg
organization: tetrate
tenant: research
workspace: mesh-ws
spec:
namespaceSelector:
names:
- cp-cluster-1/mesh
---

Configure Gateway

Configure IngressGateway deployment as shown below

gw-install.yaml
apiVersion: install.tetrate.io/v1alpha1
kind: Gateway
metadata:
name: ingress
namespace: mesh
spec:
type: INGRESS
kubeSpec:
service:
type: LoadBalancer
kubectl apply -f gw-install.yaml -n mesh

Configure TSB Gateway resource

ingress-gw.yaml
apiVersion: gateway.tsb.tetrate.io/v2
kind: Gateway
metadata:
group: mesh-gg
name: ingress
organization: tetrate
tenant: research
workspace: mesh-ws
spec:
http:
- hostname: httpbin.tetrate.io
name: ingress
port: 80
routing:
rules:
- match:
- uri:
prefix: /mesh
route:
serviceDestination:
host: httpbin/httpbin.mesh.svc.cluster.local
- match:
- uri:
prefix: /non-mesh
route:
serviceDestination:
host: httpbin/httpbin.non-mesh.svc.cluster.local
workloadSelector:
labels:
app: ingress
istio: ingressgateway
namespace: mesh

Configure TrafficSetting

As you can see in the below configuration, we have configured trafficMode: REQUIRED for both hosts to enforce mTLS for upstream connection using upstreamTrafficSetting

apiVersion: traffic.tsb.tetrate.io/v2
kind: TrafficSetting
metadata:
group: mesh-tg
name: enforce-mtls
organization: tetrate
tenant: research
workspace: mesh-ws
spec:
outbound:
upstreamTrafficSettings:
- hosts:
- httpbin.mesh.svc.cluster.local
- httpbin.non-mesh.svc.cluster.local
settings:
authentication:
trafficMode: REQUIRED
resilience:
connectionPool:
http:
requestTimeout: 2s

Verification

  1. Send request to /mesh path, and you will notice that the request work as expected and will return status code as 200.
  2. send request to /non-mesh, and you will notice that the request is failed with HTTP status code as 503, given that the client waits longer than the request timeout configured in the ingress gateway.