Configure mTLS Authentication in SAP BTP, Kyma Runtime

Learn how to configure mutual TLS (mTLS) in SAP BTP, Kyma runtime using Gardener-managed Let's Encrypt server certificates and client certificates that you supply.

Context

In this procedure, you generate certificates using the following approach:

Gardener’s Certificate custom resource (CR) requests a publicly trusted server certificate from Let’s Encrypt and creates a Secret that stores the certificate and private key. Therefore, the clients must trust Let's Encrypt, which is the CA that signs the server's certificate. Most modern HTTP clients already trust Let's Encrypt.
Client certificates are self-signed. For production use, it's advised to use certificates issued by a trusted CA instead.

For setting up an mTLS Gateway, you can either use your custom domain or the default domain of your Kyma cluster.

Prerequisites

You have an SAP BTP, Kyma runtime instance with Istio and API Gateway modules added. The Istio and API Gateway modules are added to your Kyma cluster by default.
For setting up the mTLS Gateway, you must prepare the domain name available in the public DNS zone. You can use one of the following approaches:
- Use your custom domain.
  To use a custom domain, you must own the DNS zone and supply credentials for a provider supported by Gardener so the ACME DNS challenge can be completed. For this, you must first register this DNS provider in your Kyma runtime cluster and create a DNS entry resource.
- Use the default domain of your Kyma cluster.
  When you create an SAP BTP, Kyma runtime instance, your cluster receives a default wildcard domain that provides the endpoint for the Kubernetes API server. This is the primary access point for all cluster management operations, used by kubectl and other tools.
  By default, the default Ingress Gateway kyma-gateway is configured under this domain. To learn what the domain is, you can check the APIServer URL in your subaccount overview, or get the domain name from the default simple TLS Gateway:
  bash
```
kubectl get gateway -n kyma-system kyma-gateway -o jsonpath='{.spec.servers[0].hosts[0]}'
```
  You can request any subdomain of the assigned default domain and use it to create a TLS or mTLS Gateway, as long as it is not used by another resource. For example, if your default domain is *.c12345.kyma.ondemand.com you can use such subdomains as example.c12345.kyma.ondemand.com, *.example.c12345.kyma.ondemand.com, and more. If you use the Kyma runtime default domain, Gardener’s issuer can issue certificates for subdomains of that domain without additional DNS delegation.

Istio Service Mesh

Tutorials

Technical Reference

Troubleshooting

Tutorials

Mutual TLS Authentication

Security

Custom Resources

APIGateway Custom Resource

APIRule Custom Resource

APIRule Migration

Technical Reference

Troubleshooting Guides

Working with Multiple Subaccounts

Resources

Tutorials

Troubleshooting

Technical Reference

Runtime Agent

Tutorials

Resources

Tutorials

Register a Service

VPC Peering

Resources

Tutorials

Tutorials

Resources

Troubleshooting for the Eventing Module

Resources

Troubleshooting

Tutorials

Resources

Technical Reference

Troubleshooting Guides

Collecting Logs

Collecting Traces

Collecting Metrics

Filtering and Processing Data

Transform and Filter with OTTL

Integrate with your OTLP Backend

Architecture

Integration Guides

Resources

Tutorials

Resources

Technical Reference

Tutorials

Commands

Configure mTLS Authentication in SAP BTP, Kyma Runtime ​

Context ​

Prerequisites ​

Procedure ​

Configure mTLS Authentication in SAP BTP, Kyma Runtime

Context

Prerequisites

Procedure