Expose and secure a workload with a certificate

This tutorial shows how to expose and secure a workload with mutual authentication using a mutual TLS Gateway.

Prerequisites

This tutorial is based on a sample HttpBin service deployment and a sample Function. To deploy or create one of those, follow the Create a workload tutorial.

Before you start, set up:

Optionally, take a look at the How to create own self-signed Client Root CA and Certificate tutorial.

Authorize client with a certificate

The following instructions describe how to further secure the mTLS service or Function.

NOTE: Create AuthorizationPolicy to check if the client's common name in the certificate matches.

  1. Export the following values as environment variables:

    Click to copy
    export CLIENT_ROOT_CA_CRT_FILE={CLIENT_ROOT_CA_CRT_FILE}
    export CLIENT_CERT_CN={COMMON_NAME}
    export CLIENT_CERT_ORG={ORGANIZATION}
    export CLIENT_CERT_CRT_FILE={CLIENT_CERT_CRT_FILE}
    export CLIENT_CERT_KEY_FILE={CLIENT_CERT_KEY_FILE}
  • HttpBin
  • Function
  • Call the secured endpoints of a service
  • Call the secured Function