gw-07 — Execution

Prerequisites

  • Go ≥ 1.25 (stdlib crypto only, offline). Optional: curl, openssl.

One-shot

cd gw-07-edge-security-mtls && bash scripts/verify.sh   # → "=== gw-07 OK ==="

Per-language workflow (Go)

cd gw-07-edge-security-mtls/src/go
go test -race -count=1 ./...      # CA/issue, policy, rotation, mTLS end-to-end
go run ./cmd/mtlsgw               # self-contained mTLS gateway demo

Run the demo

mtlsgw generates an ephemeral CA + server cert + client cert, writes the client material to /tmp, serves an mTLS endpoint with SPIFFE authz, and rotates the server cert every 30s. It prints the exact curl to run:

curl --cacert /tmp/gw07-ca.crt --cert /tmp/gw07-client.crt --key /tmp/gw07-client.key \
     https://127.0.0.1:8443/studio/assets    # 200
curl --cacert /tmp/gw07-ca.crt https://127.0.0.1:8443/studio/assets   # handshake refused

Package map

FileWhat
mtls/certs.goa tiny CA; issue leaves with SPIFFE URI SANs; PEM encode
mtls/server.gohot-rotating server TLS config (mTLS required), client config
mtls/identity.goSPIFFE extraction from the verified cert; policy + authz middleware
cmd/mtlsgwrunnable mTLS gateway with live cert rotation

See GUIDE.md for the deep dive (trust boundary, fail-open vs fail-closed, churn link).