Expose and secure a workload with a certificate
This tutorial shows how to expose and secure a workload with mutual authentication using a mutual TLS Gateway.
Prerequisites
This tutorial is based on a sample HttpBin service deployment and a sample Function. To deploy or create one of those, follow the Create a workload tutorial.
Before you start, set up:
- Custom Domain - skip step 5 (Create a Gateway CR)
- mTLS Gateway to allow mutual authentication in Kyma and make sure that you exported the bundle certificates.
Optionally, take a look at the How to create own self-signed Client Root CA and Certificate tutorial.
Authorize client with a certificate
The following instructions describe how to further secure the mTLS service or Function.
NOTE: Create AuthorizationPolicy to check if the client's common name in the certificate matches.
Export the following values as environment variables:
Click to copyexport CLIENT_ROOT_CA_CRT_FILE={CLIENT_ROOT_CA_CRT_FILE}export CLIENT_CERT_CN={COMMON_NAME}export CLIENT_CERT_ORG={ORGANIZATION}export CLIENT_CERT_CRT_FILE={CLIENT_CERT_CRT_FILE}export CLIENT_CERT_KEY_FILE={CLIENT_CERT_KEY_FILE}
- HttpBin
- Function
- Call the secured endpoints of a service
- Call the secured Function