Skip to content
Kannika

mTLS

This authentication method is commonly used with an EventHub such as Kafka.

Synopsis

Section titled “Synopsis”
# TLS secret
apiVersion: v1
kind: Secret
metadata:
  name: tls-secret
data:
  ca.crt: <PEM file base64-encoded>
  tls.crt: <PEM file base64-encoded>
  tls.key: <PEM file base64-encoded>
# Credentials definition
apiVersion: kannika.io/v1alpha
kind: Credentials
metadata:
  name: mtls
spec:
  mTls:
    # Optional description
    description: "mTLS credentials"
    # The certificate must be in PEM format.
    caCertificatePemFrom:
      secretKeyRef:
        name: tls-secret
        key: ca.crt
    # The certificate must be in PEM format.
    certificatePemFrom:
      secretKeyRef:
        name: tls-secret
        key: tls.crt
    # The private key must be in PEM format. Only PKCS#8 is supported.
    privateKeyPemFrom:
      secretKeyRef:
        name: tls-secret
        key: tls.key
    # Optional
    privateKeyPasswordFrom:
      secretKeyRef:
        name: tls-key-password
        key: password

Usage

Section titled “Usage”

When using mTLS, the client’s certificate and key must be loaded in one or more secrets, and then be used in the Credentials definition.

The CA’s certificate may either be:

  • unspecified, in which case OpenSSL will scan common directories;
  • explicitly set using a secret in PEM format with caCertificatePemFrom.

Note that all certificates and keys must be in PEM format, and only PKCS#8 is supported for private keys.