Supports mTLS scenario with APIRule

[adriil]

Description

Hi team,

Today, if we want to expose our service with mTLS (as documented here), we need to use an Istio's VirtualService.
Could we make Kyma natively supporting the mTLS use case with APIRule ?

Reasons

• Use only Kyma APIRule for both JWT and TLS scenario

DoD:

• Create a follow-up issue.
• Provide unit tests.
• Provide integration tests.
• Provide documentation.
• Test on a production-like environment.
• Verify if the solution works for both open-source Kyma and SAP BTP, Kyma runtime.
• Check the outcome of all related pipelines.
• Verify resource limits.
• As a PR reviewer, verify code coverage and evaluate if it is acceptable.
• Create a release.
• Add release notes and What's New notes for Kyma customers.

Attachments

[Ressetkk]

Hello @adriil would you like to give more information about your use-case? What do you exactly need to modify in the VirtualService to get mTLS working? Recently I've updated the documentation how to set up mTLS gateway. You can check out if this tutorial can give you more insights. https://github.com/kyma-project/api-gateway/blob/main/docs/user/tutorials/01-30-set-up-mtls-gateway.md

[adriil]

Hi @Ressetkk,
Thank you for your documentation, this seems to be exactly what I needed indeed.
In my use case, I need to forward the SSL information to the app, so my VirtualService looks like this :

cat <<EOF | kubectl apply -f - 
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: httpbin-vs
  namespace: ${NAMESPACE}
spec:
  hosts:
  - "httpbin-vs.${DOMAIN_TO_EXPOSE_WORKLOADS}"
  gateways:
  - ${MTLS_GATEWAY_NAME}
  http:
  - route:
    - destination:
        port:
          number: 8000
        host: httpbin
      headers:
        request:
          set:
            X-CLIENT-SSL-CN: "%DOWNSTREAM_PEER_SUBJECT%"
            X-CLIENT-SSL-SAN: "%DOWNSTREAM_PEER_URI_SAN%"
            X-CLIENT-SSL-ISSUER: "%DOWNSTREAM_PEER_ISSUER%"
EOF

Is the header forwarding something APIRule supports ?

[Ressetkk]

Now I get what you were looking for!
Unfortunately APIRule does not support setting custom headers in requests yet, and to support such use-case you'll have to use VirtualService directly, unfortunately.
We'll discuss the possibility of implementing this feature in future versions of api-gateway. I'll create a follow-up issue for this feature. We are also open for contributions!

I'm sorry I cannot help you much more right now.

[strekm]

actually it should be supported by mutators in APIRule v1* and request modifiers in APIRule v2*. @adriil mentioned tutorial also is creating Istio AuthorizationPolicy. you would expect it to be created by APIRule too, right?