mTLS Service Mesh กับ Low Code No Code — วิธีใช้ mTLS ใน Service Mesh ร่วมกับ Low Code Platform

mTLS ใน Service Mesh

mTLS ยืนยันตัวตนทั้ง Client และ Server ด้วย X.509 Certificates ป้องกัน MITM Attack ใช้ใน Service-to-Service Communication Service Mesh จัดการ Certificate อัตโนมัติ

Low Code/No Code สร้าง Application ด้วย Visual Interface ลด Development Time เมื่อรวมกับ Service Mesh ให้ Low Code Apps เชื่อมต่อกับ Microservices อย่างปลอดภัย

Istio mTLS Configuration

=== Istio mTLS Configuration ===

1. ติดตั้ง Istio

curl -L https://istio.io/downloadIstio | sh -

cd istio-*

export PATH=$PWD/bin:$PATH

istioctl install --set profile=demo -y

2. Enable Sidecar Injection

kubectl label namespace default istio-injection=enabled

3. PeerAuthentication — Enforce mTLS

apiVersion: security.istio.io/v1beta1

kind: PeerAuthentication

metadata:

name: default

namespace: istio-system

spec:

mtls:

mode: STRICT # STRICT = mTLS required

# PERMISSIVE = allow both plain and mTLS

# DISABLE = no mTLS

4. DestinationRule — mTLS for specific service

apiVersion: networking.istio.io/v1beta1

kind: DestinationRule

metadata:

name: api-gateway-mtls

spec:

host: api-gateway.default.svc.cluster.local

trafficPolicy:

tls:

mode: ISTIO_MUTUAL

5. AuthorizationPolicy — Service-level access control

apiVersion: security.istio.io/v1beta1

kind: AuthorizationPolicy

metadata:

name: api-gateway-policy

namespace: default

spec:

selector:

matchLabels:

app: api-gateway

rules:

• from:
• source:

principals: ["cluster.local/ns/default/sa/frontend"]

to:

• operation:

methods: ["GET", "POST"]

paths: ["/api/*"]

• from:
• source:

principals: ["cluster.local/ns/default/sa/admin-service"]

to:

• operation:

methods: ["GET", "POST", "PUT", "DELETE"]

paths: ["/api/admin/*"]

6. Certificate Rotation

Istio auto-rotates certificates (default: 24h)

ตรวจสอบ Certificate

istioctl proxy-config secret <pod-name> -o json

7. ตรวจสอบ mTLS Status

istioctl authn tls-check <pod-name>

kubectl get peerauthentication --all-namespaces

kubectl get authorizationpolicy --all-namespaces

echo "Istio mTLS configured:"

echo " Mode: STRICT (mTLS required)"

echo " AuthZ: Service-level policies"

echo " Certs: Auto-rotated every 24h"

echo " Verify: istioctl authn tls-check"</pod-name></pod-name>

Service Mesh Observability

# mesh_observability.py — Service Mesh Monitoring
from dataclasses import dataclass, field
from typing import List, Dict
from datetime import datetime

@dataclass
class ServiceMetrics:
 name: str
 requests_total: int
 error_rate: float
 p50_latency_ms: float
 p99_latency_ms: float
 mtls_enabled: bool
 connections: int

class MeshObservability:
 """Service Mesh Observability Dashboard"""

 def __init__(self):
 self.services: Dict[str, ServiceMetrics] = {}
 self.traffic_flows: List[Dict] = []

 def add_service(self, metrics: ServiceMetrics):
 self.services[metrics.name] = metrics

 def add_traffic(self, source, dest, rps, error_rate, mtls):
 self.traffic_flows.append({
 "source": source, "dest": dest,
 "rps": rps, "error_rate": error_rate,
 "mtls": mtls,
 })

 def dashboard(self):
 """Mesh Dashboard"""
 print(f"\n{'='*60}")
 print(f"Service Mesh Dashboard — {datetime.now().strftime('%H:%M')}")
 print(f"{'='*60}")

 total_rps = sum(s.requests_total for s in self.services.values())
 mtls_count = sum(1 for s in self.services.values() if s.mtls_enabled)
 total = len(self.services)

 print(f" Services: {total}")
 print(f" mTLS Coverage: {mtls_count}/{total} ({mtls_count/total*100:.0f}%)")
 print(f" Total RPS: {total_rps:,}")

 print(f"\n Services:")
 for name, m in self.services.items():
 mtls = "mTLS" if m.mtls_enabled else "PLAIN"
 health = "OK" if m.error_rate < 1 else "WARN" if m.error_rate < 5 else "CRIT"
 print(f" [{health:>4}] {name:<25} "
 f"RPS:{m.requests_total:>6} "
 f"Err:{m.error_rate:.1f}% "
 f"P99:{m.p99_latency_ms:.0f}ms "
 f"[{mtls}]")

 print(f"\n Traffic Flows:")
 for flow in self.traffic_flows:
 mtls = "mTLS" if flow["mtls"] else "PLAIN"
 print(f" {flow['source']:>20} -> {flow['dest']:<20} "
 f"{flow['rps']:>4} rps [{mtls}]")

 def security_audit(self):
 """Security Audit"""
 print(f"\n Security Audit:")
 issues = []

 for name, m in self.services.items():
 if not m.mtls_enabled:
 issues.append(f" WARN: {name} — mTLS not enabled")

 for flow in self.traffic_flows:
 if not flow["mtls"]:
 issues.append(f" WARN: {flow['source']} -> {flow['dest']} — Plain text")

 if issues:
 for issue in issues:
 print(f" {issue}")
 else:
 print(f" All services using mTLS — PASS")

# ตัวอย่าง
mesh = MeshObservability()

services = [
 ServiceMetrics("api-gateway", 5000, 0.2, 12, 85, True, 150),
 ServiceMetrics("user-service", 2000, 0.1, 8, 45, True, 80),
 ServiceMetrics("order-service", 3000, 0.5, 15, 120, True, 100),
 ServiceMetrics("payment-service", 1000, 0.3, 20, 200, True, 50),
 ServiceMetrics("notification-svc", 500, 0.0, 5, 30, True, 20),
 ServiceMetrics("legacy-service", 200, 1.5, 50, 500, False, 10),
]

for svc in services:
 mesh.add_service(svc)

mesh.add_traffic("api-gateway", "user-service", 2000, 0.1, True)
mesh.add_traffic("api-gateway", "order-service", 3000, 0.5, True)
mesh.add_traffic("order-service", "payment-service", 1000, 0.3, True)
mesh.add_traffic("order-service", "legacy-service", 200, 1.5, False)

mesh.dashboard()
mesh.security_audit()

Low Code Integration

=== Low Code + Service Mesh Integration ===

1. Retool Configuration (Low Code Internal Tool)

retool_config.yaml

resources:

• name: "User API"

type: "rest_api"

base_url: "https://api-gateway.internal/api/v1"

headers:

Authorization: "Bearer {{ RETOOL_API_KEY }}"

X-Request-ID: "{{ generateUUID() }}"

# mTLS handled by Service Mesh sidecar

• name: "Analytics DB"

type: "postgresql"

host: "analytics-db.internal"

port: 5432

database: "analytics"

# Connection encrypted via mTLS

2. Power Automate Flow (No Code Workflow)

workflow:

trigger: "When new order is created"

actions:

• name: "Validate Order"

type: "http_request"

url: "https://api-gateway.internal/api/v1/orders/validate"

method: "POST"

body: "@triggerBody()"

• name: "Send Notification"

type: "http_request"

url: "https://api-gateway.internal/api/v1/notifications"

method: "POST"

body:

to: "@body('Validate Order').customer_email"

template: "order_confirmation"

3. Kubernetes Deployment สำหรับ Low Code Backend

apiVersion: apps/v1

kind: Deployment

metadata:

name: retool

labels:

app: retool

spec:

replicas: 2

selector:

matchLabels:

app: retool

template:

metadata:

labels:

app: retool

annotations:

sidecar.istio.io/inject: "true"

spec:

containers:

• name: retool

image: tryretool/backend:latest

ports:

• containerPort: 3000

env:

• name: DATABASE_URL

valueFrom:

secretKeyRef:

name: retool-secrets

key: database-url

4. AuthorizationPolicy สำหรับ Low Code

apiVersion: security.istio.io/v1beta1

kind: AuthorizationPolicy

metadata:

name: lowcode-policy

spec:

selector:

matchLabels:

app: api-gateway

rules:

• from:
• source:

principals: ["cluster.local/ns/default/sa/retool"]

to:

• operation:

methods: ["GET", "POST"]

paths: ["/api/v1/users/*", "/api/v1/orders/*"]

lowcode_platforms = {

"Retool": {"type": "Internal Tools", "pricing": "Free tier + $10/user"},

"Power Apps": {"type": "Business Apps", "pricing": "$20/user/month"},

"Mendix": {"type": "Enterprise Apps", "pricing": "Contact Sales"},

"OutSystems": {"type": "Enterprise Apps", "pricing": "Contact Sales"},

"Appsmith": {"type": "Internal Tools (OSS)", "pricing": "Free (self-hosted)"},

"Budibase": {"type": "Internal Tools (OSS)", "pricing": "Free (self-hosted)"},

}

print("\nLow Code Platforms:")

for name, info in lowcode_platforms.items():

print(f" {name}: {info['type']} — {info['pricing']}")

Best Practices

• STRICT Mode: ใช้ mTLS STRICT Mode ใน Production บังคับ Encryption ทุก Service
• AuthorizationPolicy: กำหนด Policy ระดับ Service ให้เข้าถึงเฉพาะที่จำเป็น
• Certificate Rotation: ใช้ Auto-rotation ที่ Istio จัดการ ตั้ง Lifetime ให้สั้น
• Observability: ใช้ Kiali, Jaeger, Prometheus ดู Traffic Flows และ mTLS Status
• Low Code Security: ให้ Low Code Apps เข้าถึงผ่าน API Gateway มี AuthZ Policy
• Gradual Migration: เริ่มจาก PERMISSIVE แล้วค่อยเปลี่ยนเป็น STRICT

mTLS คืออะไร

Mutual TLS เข้ารหัสยืนยันตัวตนทั้ง Client Server ด้วย X.509 Certificates ป้องกัน MITM ใช้ Service-to-Service Communication Microservices

สรุป

mTLS ใน Service Mesh ให้ Zero Trust Communication ระหว่าง Services Istio จัดการ Certificate อัตโนมัติ STRICT Mode บังคับ Encryption AuthorizationPolicy ควบคุมสิทธิ์ Low Code Apps เชื่อมผ่าน API Gateway อย่างปลอดภัย Observability ด้วย Kiali Jaeger