Hi, I have to set up MTLS in apigee hybrid for inbound request. I have done it in saas and opdk. But I am learning Hybrid model. Since host alias are defined in environment group level. Could some one please help me understanding how to configure MTLS between consumer and apigee also manage multiple client certificate.
Thanks,
Patty
In the overrides.yaml file, add a stanza like this
virtualhosts:
- name: internal # environment group name
minTLSProtocolVersion: "1.2"
maxTLSProtocolVersion: "1.3"
tlsMode: MUTUAL
sslSecret: my-tls-secret # k8s secret name in istio-system namespace
Read more about overrides configuration here.
Hi Srinandans,
Thanks for your reply. Does Hybrid provides UI to configure this like saas or opdk has edge UI. Also suppose multiple clients are coming from different CA root then how to configure all client cert and does it required restart of the server.
Thanks,
Patty
No, Apigee does not provide a UI to configure this. The Ingress (somewhat equivalent to the Router component in OPDK) is customer managed with Apigee hybrid. Customers configure the Ingress by configuring Kubernetes directly (in this case by creating a Kubernetes secret). Apigee hybrid uses Anthos Service Mesh (Istio) as the Ingress.
mTLS is achieved by a two step process:
Once you have setup these secrets (in the istio-system namespace), configure the overrides.yaml as shown above and use apigeectl to configure Kubernetes.
In your case, the cacert file contains all the CA certs you wish to trust.