This document describes the steps to enable mutual SSL in APIcast. The instructions are provided for Docker and OpenShift.
Note: this approach will only work in APIcast v3.1.0-rc1 and later.
- client certificates
- API backend that accepts client certificates
Step 1. Create a directory certs
in your current working directory, and place the following files there:
client.crt
- certificate in PEM formatclient.key
- secret key in PEM formatpassword_file
- file containing the passphrase for the secret key (you will need if you are using a passphrase, because otherwise nginx requests it on start, otherwise you can skip it)
Step 2. Create a file proxy_ssl.conf
in the current directory (provided in this Gist).
Step 3. Start the container, attaching the extra files as volumes:
docker run --name apicast --rm -p 8080:8080 -e THREESCALE_DEPLOYMENT_ENV=production -e THREESCALE_PORTAL_ENDPOINT=https://<ACCESS_TOKEN>@<DOMAIN>-admin.3scale.net -v $(pwd)/certs:/opt/app-root/src/conf/certs -v $(pwd)/proxy_ssl.conf:/opt/app-root/src/apicast.d/location.d/proxy_ssl.conf quay.io/3scale/apicast:v3.1.0-rc1
Note: You should be logged in to the OpenShift cluster, and the project where APIcast is deployed should be selected. It is assumed that the name of the DeploymentConfig is apicast
. If it is different, the instructions need to be adjusted.
Step 3. Create ConfigMaps with the files described above:
oc create configmap proxy-ssl-conf --from-file=./proxy_ssl.conf
oc create configmap certs --from-file=./certs
Step 4. Mount the ConfigMaps as volumes:
oc set volume dc/apicast --add --name=proxy-ssl-conf --mount-path /opt/app-root/src/conf.d/proxy_ssl.conf --source='{"configMap":{"name":"proxy-ssl-conf","items":[{"key":"proxy_ssl.conf","path":"proxy_ssl.conf"}]}}'
oc set volume dc/apicast --add --name=certs --mount-path /opt/app-root/src/conf/certs --source='{"configMap":{"name":"certs"}}'
oc patch dc/apicast --type=json -p '[{"op": "add", "path": "/spec/template/spec/containers/0/volumeMounts/0/subPath", "value":"proxy_ssl.conf"}]'
Make an API call as usual, and the API backend should receive a client certificate.
@FrederikBoelens I am not aware of the plans for 2.8 (given that there are external dependencies that need to be met first), but yes, it looks like running multiple instances of APIcast in parallel should do the trick. You can limit the services that will be handled by one instance of APIcast using the
APICAST_SERVICES_LIST
env var: https://github.com/3scale/APIcast/blob/master/doc/parameters.md#apicast_services_list