DNS, SSL, mTLS and Certificates

This page describes the management of certificates

Both internal and external HTTP communication shall be encrypted using SSL certificates. The following graph outlines the architecture used to reach HTTPS communication:

Certificate Management and Encrypted HTTPS communication

DNS

To host the DNS we will set up a Cloud DNS zone, that will host A records pointing towards Kong Load Balancer. The zone will have the api. prefix and the subdomain will delegate to this zone using NS records.

Service Mesh

The Kubernetes cluster internal configuration is managed by a service mesh that allows to set up strict inbound rules for each service and to encrypt internal traffic.

Tools

To that end we will use several tools:

• cert-manager: handle certificate renewal and stores them in kubernetes secrets to be consumed

• kuma: service mesh created by the creators of kong, that allows to establish a mesh in the cluster and enforce mTLS communication between microservices. Also lets you configure allow lists to setup granular permission for a service to be able to communicate with another one.

• kong ingress controller: the ingresses are configured to enforce https communication from the clients and passthrough the communication to the pods via kuma, ensuring https communication end-to-end.

• GCP Cloud DNS: host DNS zones and allows the creation of records.

• external-dns: creates A records automatically based on ingress hosts pointing towards the LoadBalancer IP address.