Securing Vespa with mutually authenticated TLS (mTLS)

Vespa has enhanced its security measures by extending support for mutually authenticated Transport Layer Security (mTLS) to include all cluster-internal communications, in addition to securing container endpoints. This is now fully available in Open Source Vespa, although Vespa Cloud customers already have it automatically configured. The implementation of mTLS ensures that only authenticated clients can access the endpoints, thereby improving overall application security by preventing unauthorized access. Vespa's mTLS setup involves two separate planes of TLS connectivity for HTTP(S) application container endpoints and Vespa-internal communication, encouraging the use of separate Certificate Authority (CA) signing entities for each. The blog post provides a sample application to demonstrate the configuration process, highlighting that mTLS requires version 7.441.3 or newer for Vespa installations. The sample application showcases how to configure mTLS, with Vespa's environment variable VESPA_TLS_CONFIG_FILE controlling internal communication and services.xml managing application container TLS for HTTPS, alongside verifying TLS configurations using curl commands.