gw-07 — Execution
Prerequisites
- Go ≥ 1.25 (stdlib crypto only, offline). Optional:
curl,openssl.
One-shot
cd gw-07-edge-security-mtls && bash scripts/verify.sh # → "=== gw-07 OK ==="
Per-language workflow (Go)
cd gw-07-edge-security-mtls/src/go
go test -race -count=1 ./... # CA/issue, policy, rotation, mTLS end-to-end
go run ./cmd/mtlsgw # self-contained mTLS gateway demo
Run the demo
mtlsgw generates an ephemeral CA + server cert + client cert, writes the
client material to /tmp, serves an mTLS endpoint with SPIFFE authz, and
rotates the server cert every 30s. It prints the exact curl to run:
curl --cacert /tmp/gw07-ca.crt --cert /tmp/gw07-client.crt --key /tmp/gw07-client.key \
https://127.0.0.1:8443/studio/assets # 200
curl --cacert /tmp/gw07-ca.crt https://127.0.0.1:8443/studio/assets # handshake refused
Package map
| File | What |
|---|---|
mtls/certs.go | a tiny CA; issue leaves with SPIFFE URI SANs; PEM encode |
mtls/server.go | hot-rotating server TLS config (mTLS required), client config |
mtls/identity.go | SPIFFE extraction from the verified cert; policy + authz middleware |
cmd/mtlsgw | runnable mTLS gateway with live cert rotation |
See GUIDE.md for the deep dive (trust boundary, fail-open vs fail-closed, churn link).