I have set up mutual TLS authentication on my Vespa Data Plane by configuring a TLS certificate, following the steps outlined in the Vespa security guide:
https://cloud.vespa.ai/en/security/guide.
The process involved generating a TLS certificate and private key for the client application.
However, after completing the setup, I noticed that my client server is still able to make requests to Vespa without providing the required mutual certificate. According to my understanding, Vespa should have requested the client to provide a valid certificate for authentication before fulfilling the request.
Here are the steps I followed:
I generated the TLS certificate for my Vespa Data Plane using the command:
vespa auth cert --application <tenant>.<app>.<instance>
This generated the necessary certificate and private key files.
I then prepared and activated Vespa using the commands:
vespa-deploy prepare
vespa-deploy activate
vespa deploy
However, even after completing these steps, the client server can still access Vespa's data without providing any certificate for authentication. I want to ensure that Vespa enforces mutual TLS authentication and requires the client to present a valid certificate before processing any requests.
I am not sure if this answers your question, but https://github.com/vespa-engine/sample-apps/tree/master/examples/operations/multinode-HA#secure-vespa-with-mutually-authenticated-tls provides a template for mTLS configuration