GitHub user tanishqzope added a comment to the discussion: Configuring mTLS and
strict authentication for the Triple protocol in a Zero-Trust architecture
Hi there! This is a great question. Moving towards a zero-trust architecture is
definitely the right path, and Dubbo 3 handles this very well with the Triple
protocol.
To answer your questions directly: you can do both, but the "recommended"
approach depends heavily on how you want to manage certificate rotation and
infrastructure overhead.
Here is a breakdown of your options and how to configure them:
1. The Native Approach (Direct YAML Configuration)
Dubbo does have built-in support for TLS and mTLS terminating directly within
the framework, so you do not strictly need a sidecar proxy.
The YAML snippet you provided is very close! However, for true mutual TLS
(where the server also authenticates the client), you must also provide the
trust store/certificate collection so the provider can verify the consumer's
certificate.
Your updated configuration should look like this:
YAML
dubbo:
protocol:
name: tri
port: 50051
ssl-enabled: true
ssl:
# Server's own identity
server-key-cert-chain-path: /certs/server.pem
server-private-key-path: /certs/server.key
# Required for mTLS: Verifying the client
mutual-tls: true
trust-cert-collection-path: /certs/ca.pem
(Note: You will also need corresponding dubbo.ssl.client-* configurations on
the Consumer side to present its certificate to the Provider).
2. The Service Mesh Approach (Envoy / Istio)
While native mTLS works perfectly, the biggest challenge in zero-trust is
certificate lifecycle management. Manually mounting and rotating
/certs/server.pem across dozens of Spring Boot pods becomes operationally heavy.
For enterprise production environments, the community highly recommends
offloading mTLS to a Service Mesh (like Istio + Envoy).
Why use a Service Mesh instead?
Automated Rotation: Istio handles identity provisioning via SPIFFE/SPIRE and
automatically rotates short-lived certificates without you ever needing to
touch your Spring Boot YAML.
Separation of Concerns: Your Dubbo application stays completely unaware of TLS.
It communicates over plaintext to the Envoy sidecar running in the same pod via
localhost, and Envoy handles the heavy lifting of encrypting the traffic across
the network.
3. The Middle Ground: Proxyless Mesh
Since you are on Dubbo 3.3.x, you also have the option of a Proxyless Mesh.
Dubbo can integrate directly with the Istio control plane (xDS) to fetch
routing rules and security certificates dynamically, combining the automated
certificate management of Istio with the high performance of native Dubbo
(bypassing the Envoy sidecar network hop).
GitHub link:
https://github.com/apache/dubbo/discussions/16311#discussioncomment-17198904
----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
