I'm building a service that require PKI MTLS X509Certificate authentication. So I have an AWS ACM Private CA that issues private client certificates to identify the client and regular ACM issued certificate to identify the server.

For the MTLS authentication I use Spring security (Java), which requires a trust store containing the private root CA certificate for authenticating clients as well as a PKCS#12 key store to enforce SSL (for the client to authenticate the server).

Everything works fine when I run it locally using SSL. Before I enabled SSL in the application, everything worked fine in the cluster as well. However, when I added MTLS logic to the application the connection hangs when talking to the application in the cluster.

I'm guessing that I need to configure https for my service/ingress in the cluster, but everything I find specifies an arn for the certificate to be used, while I already have it installed in the application. All I want to do is to allow https traffic to pass through the load balancer into my application and let the application handle the SSL stuff.

Alternatively if it would be possible to configure X509Certificate authentication in Spring security without the SSL certificate for the client to verify the server. In that case the SSL certificate would only be used in production and not locally.

Would that be possible and what's the pros and cons with each?

CodePudding user response：

So in the end I ended up using the nginx ingress controller with ssl-passthrough. However, EKS Fargate pods do not support the nginx ingress controller, so I had to create a new managed cluster. Technically I could have used mixed cluster with both managed and Fargate nodes, but I felt that Fargate had given me enough headache and when I did some calculations I found that Fargate probably costs more in our case.