Configuring Mutual TLS

If you want to configure version, ciphers or per-service permissive/strict mode, see MeshTLS.

The Mutual TLS (mTLS) policy enables automatic encrypted mTLS traffic for all the services in a mesh, and allows you to assign an identity to every data plane proxy. Kong Mesh supports different types of CA backends as well as automatic certificate rotation.

Kong Mesh ships with the following CA (Certificate Authority) supported backends:

• builtin: Kong Mesh automatically generates a CA root certificate and key, which are stored as a Secret.
• provided: The user provides the CA root certificate and key as a Secret.

Once you’ve specified a CA backend, Kong Mesh automatically generates a certificate for every data plane proxy in the mesh. The certificates that Kong Mesh generates are SPIFFE compatible and are used for AuthN/Z use cases in order to identify every workload in the system.

The certificates that Kong Mesh generates have a SAN set to spiffe://<mesh name>/<service name>. When Kong Mesh enforces policies that require an identity, like MeshTrafficPermission, it will extract the SAN from the client certificate and use it to match the service identity.

By default mTLS is not enabled. You need to activate it explicitly as described below. When you enable mTLS, all traffic is denied unless a MeshTrafficPermission you configure a policy to explicitly allow traffic across proxies.

Always make sure to include MeshTrafficPermission in your configuration before enabling mTLS in a mesh to avoid unexpected traffic interruptions caused by a lack of authorization between proxies.

To enable mTLS, configure the mtls property in a Mesh resource. You can have as many backends as you want, but only one at a time can be enabled via the enabledBackend property.

A missing or empty enabledBackend property deactivates mTLS for the entire mesh.

A builtin CA is the fastest and simplest way to enable mTLS in Kong Mesh.

With a builtin CA backend type, Kong Mesh dynamically generates its own CA root certificate and key that it uses to automatically provision and rotate certificates for every replica of every service.

You can specify more than one builtin backend with different names, and each one is automatically provisioned with a unique certificate and key pair.

To enable a builtin mTLS for the entire mesh, apply the following configuration:

To prevent disruption of your traffic, we highly recommend adding a MeshTrafficPermission policy before enabling mTLS. This policy will allow communication between your applications.

apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
  name: default
spec:
  mtls:
    enabledBackend: ca-1
    backends:
      - name: ca-1
        type: builtin
        dpCert:
          rotation:
            expiration: 1d
        conf:
          caCert:
            RSAbits: 2048
            expiration: 10y

type: Mesh
name: default
mtls:
  enabledBackend: ca-1
  backends:
    - name: ca-1
      type: builtin
      dpCert:
        rotation:
          expiration: 1d
      conf:
        caCert:
          RSAbits: 2048
          expiration: 10y

• The dpCert configuration determines how often Kong Mesh should automatically rotate the certificates assigned to every data plane proxy.
• The caCert configuration determines a few properties that Kong Mesh will use when auto-generating the CA root certificate.

Storing Secrets

When using a builtin backend Kong Mesh automatically generates a root CA certificate and key that are stored as a Kong Mesh Secret resource with the following name:

• <mesh name>.ca-builtin-cert-<backend name> for the certificate
• <mesh name>.ca-builtin-key-<backend name> for the key

Secrets are stored depending on the platform:

• Kubernetes stores Kong Mesh Secrets in the kong-mesh-system.
• Universal stores secrets in the underlying store configured in kuma-cp.

Retrieve the secrets via kumactl on both Universal and Kubernetes, or via kubectl on Kubernetes only:

kumactl get secrets [-m MESH]
# MESH      NAME                           AGE
# default   default.ca-builtin-cert-ca-1   1m
# default   default.ca-builtin-key-ca-1    1m

kubectl get secrets \
    -n kong-mesh-system \
    --field-selector='type=system.kuma.io/secret'
# NAME                             TYPE                                  DATA   AGE
# default.ca-builtin-cert-ca-1     system.kuma.io/secret                 1      1m
# default.ca-builtin-key-ca-1      system.kuma.io/secret                 1      1m

If you choose to provide your own CA root certificate and key, you can use the provided backend. With this option, you must also manage the certificate lifecycle yourself.

Unlike the builtin backend, with provided you first upload the certificate and key as Secret resource, and then reference the Secrets in the mTLS configuration.

Kong Mesh then provisions data plane proxy certificates for every replica of every service from the CA root certificate and key.

Sample configuration

Here’s an example of how to configure a provided CA:

apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
  name: default
spec:
  mtls:
    enabledBackend: ca-1
    backends:
      - name: ca-1
        type: provided
        dpCert:
          rotation:
            expiration: 1d
        conf:
          cert:
            secret: $CERT_SECRET_NAME
          key:
            secret: $KEY_SECRET_NAME

type: Mesh
name: default
mtls:
  enabledBackend: ca-1
  backends:
    - name: ca-1
      type: provided
      dpCert:
        rotation:
          expiration: 1d
      conf:
        cert:
          secret: $CERT_SECRET_NAME
        key:
          secret: $KEY_SECRET_NAME

• The dpCert configuration determines how often Kong Mesh should automatically rotate the certificates assigned to every data plane proxy.
• The Secrets must exist before referencing them in a provided backend.

Intermediate CA

You can also use an intermediate CA with a provided backend. Generate the certificate and place it first in certificate file, before the certificate from the root CA. The certificate from the root CA should start on a new line:

-----BEGIN CERTIFICATE-----
<intermediate CA certificate content>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<root CA certificate content>
-----END CERTIFICATE-----

Then create the Secret to use in the cert section of the config. The secret for the key should contain only the private key for the certificate from the intermediate CA.

You can chain certificates from multiple intermediate CAs the same way. Place the certificate from the closest CA at the top of the cert file, followed by certificates in order up the certificate chain, then generate the Secret to hold the contents of the file.

CA requirements

When using an arbitrary certificate and key for a provided backend, ensure compliance with the following requirements:

• It must have the basic constraint CA set to true (see X509-SVID: 4.1. Basic Constraints)
• It must have the key usage extension keyCertSign set (see X509-SVID: 4.3. Key Usage)
• It must not have the key usage extension keyAgreement set (see X509-SVID: Appendix A. X.509 Field Reference)
• It should not set the key usage extension digitalSignature and keyEncipherment to be SPIFFE compliant (see X509-SVID: Appendix A. X.509 Field Reference)

The following example generates a sample CA certificate and key:

Do not use this example in production, instead generate valid and compliant certificates. This example is intended for usage in a development environment.

The following command will generate a CA root certificate and key that can be uploaded to Kong Mesh as a Secret and then used in a provided mTLS backend:

SAMPLE_CA_CONFIG="
[req]
distinguished_name=dn
[ dn ]
[ ext ]
basicConstraints=CA:TRUE,pathlen:0
keyUsage=keyCertSign
"

openssl req -config <(echo "$SAMPLE_CA_CONFIG") -new -newkey rsa:2048 -nodes \
  -subj "/CN=Hello" -x509 -extensions ext -keyout key.pem -out crt.pem

The command generates a certificate at crt.pem and the key at key.pem. Generate the Kong Mesh Secret resources using the Secret resource.

Development mode

In development mode, you can provide the cert and key properties of the provided backend using an inline value instead of a Secret resource.

Using the inline modes in production presents a security risk since it makes the CA root certificate and key more easily accessible to a malicious actor. Only use inline in development mode.

apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
  name: default
spec:
  mtls:
    enabledBackend: ca-1
    backends:
      - name: ca-1
        type: provided
        conf:
          cert:
            inline: <base64-encoded certificate>
          key:
            inline: <base64-encoded key>

type: Mesh
name: default
mtls:
  enabledBackend: ca-1
  backends:
    - name: ca-1
      type: provided
      conf:
        cert:
          inline: <base64-encoded certificate>
        key:
          inline: <base64-encoded key>

Kong Mesh provides a PERMISSIVE mTLS mode to let you migrate existing workloads with zero downtime.

Permissive mTLS mode encrypts outbound connections the same way as strict mTLS mode, but inbound connections on the server-side accept both TLS and plaintext. This lets you migrate servers to an mTLS mesh before their clients. It also supports the case where the client and server already implement TLS.

PERMISSIVE mode is not secure. It’s intended as a temporary utility. Make sure to set to STRICT mode after migration is complete.

apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
  name: default
spec:
  mtls:
    enabledBackend: ca-1
    backends:
      - name: ca-1
        type: builtin
        mode: PERMISSIVE

type: Mesh
name: default
mtls:
  enabledBackend: ca-1
  backends:
    - name: ca-1
      type: builtin
      mode: PERMISSIVE

Once a CA backend has been configured, Kong Mesh uses the CA root certificate and key to automatically provision a certificate for every data plane proxy that it connects to kuma-cp.

Unlike the CA certificate, data plane proxy certificates are not permanently stored, they reside only in memory. These certificates are designed to be short-lived and rotated often by Kong Mesh.

By default, the expiration time of a data plane proxy certificate is 30 days. Kong Mesh rotates these certificates automatically after 4/5th of the certificate validity time. For example: for the default 30-day expiration, Kong Mesh rotates the certificates every 24 days.

You can update the duration of the data plane proxy certificates by updating the dpCert property on every available mTLS backend.

You can inspect the certificate rotation statistics by executing the following command:

kumactl inspect dataplanes
# MESH      NAME     TAGS          STATUS   LAST CONNECTED AGO   LAST UPDATED AGO   TOTAL UPDATES   TOTAL ERRORS   CERT REGENERATED AGO   CERT EXPIRATION       CERT REGENERATIONS
# default   web-01   service=web   Online   5s                   3s                 4               0              3s                     2020-05-11 16:01:34   2

...
"dataplaneInsight": {
  ...
  "mTLS": {
    "certificateExpirationTime": "2020-05-14T20:15:23Z",
    "lastCertificateRegeneration": "2020-05-13T20:15:23.994549539Z",
    "certificateRegenerations": 1
  }
}
...

A new data plane proxy certificate is automatically generated when:

• A data plane proxy is restarted.
• The control plane is restarted.
• The data plane proxy connects to a new control plane.