ACM Private CA Policy

You can use Amazon Certificate Manager as a Certificate Authority (CA) for mTLS with Kong Mesh.

The default mTLS policy in Kong Mesh supports the following Certificate Authority (CA) backends:

• builtin: Kong Mesh automatically generates the CA root certificate and key used to generate Data Plane certificates.
• provided: The CA root certificate and key can be provided by the user.
• vault: Uses a CA root certificate and key stored in a HashiCorp Vault server.
• acmpca: Uses Amazon Certificate Manager Private CA to generate Data Plane certificates.
• certmanager: Uses the Kubernetes cert-manager certificate controller.

In acmpca mTLS mode, Kong Mesh uses Amazon Certificate Manager to automatically generate Data Plane certificates. The private key of the CA is secured by AWS and never exposed.

You configure Kong Mesh to use the ACM resource and optionally specify AWS authentication credentials. The system uses the AWS default credential chain (environment variables, config files, roles).

Certificates are issued and rotated by the Zone Control Plane for each Data Plane proxy.

To configure ACM Private CA in Kong Mesh:

• Create an ACM Private CA in AWS. You can use a Root or Intermediate CA.
• Record the ARN and Root Certificate Chain of the CA.
• Apply a Mesh resource with an acmpca mTLS backend using either Kubernetes or Universal mode.

The acmpca backend can authenticate via:

• The default AWS credential chain (preferred)
• Inline credentials (for testing only)
• Mesh-scoped secret resources

For example:

apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
  name: default
spec:
  mtls:
    enabledBackend: acmpca-1
    backends:
      - name: acmpca-1
        type: acmpca
        dpCert:
          rotation:
            expiration: 1d
        conf:
          arn: "arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012" # AWS ARN of the Private CA
          commonName: '{{ tag "kuma.io/service" }}.mesh' # optional. If set, then commonName is added to the certificate. You can use "tag" directive to pick a tag which will be base for commonName. If unset, a Subject Alternative Name may be duplicated as Common Name.
          caCert:             # caCert is used to verify the TLS certificate presented by ACM.
            secret: sec-1     # one of file, secret or inline.
          auth: # Optional AWS authentication keys. If unset, default credential chain locations are searched.
            awsCredentials:
              accessKey:
                secret: sec-2  # one of file, secret or inline.
              accessKeySecret:
                file: /tmp/accesss_key.txt # one of file, secret or inline.

type: Mesh
name: default
mtls:
  enabledBackend: acmpca-1
  backends:
  - name: acmpca-1
    type: acmpca
    dpCert:
      rotation:
        expiration: 24h
    conf:
      arn: "arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012" # AWS ARN of the Private CA
      commonName: '{{ tag "kuma.io/service" }}.mesh' # optional. If set, then commonName is added to the certificate. You can use "tag" directive to pick a tag which will be base for commonName. If unset, a Subject Alternative Name may be duplicated as Common Name.
      caCert:              # caCert is used to verify the TLS certificate presented by ACM.
        secret: sec-1      # one of file, secret or inline.
      auth:  # Optional AWS authentication keys. If unset, default credential chain locations are searched.
        awsCredentials:
          accessKey:
            secret: sec-2  # one of file, secret or inline.
          accessKeySecret:
            file: /tmp/accesss_key.txt # one of file, secret or inline.

These configurations can be applied with kumactl apply -f [..].

In a multi-zone environment, the global Control Plane provides the Mesh to the zone Control Planes. However, you must make sure that each zone Control Plane can communicate with ACM Private CA. This is because certificates for Data Plane proxies are requested from ACM Private CA by the zone Control Plane, not the global Control Plane.