Configuring OPKG for mTLS with Istio

Hi everyone!

When securing access to an OPKG repository, most people go with basic authentication. However, at one of my previous jobs, we needed to go a step further and verify which specific client was accessing the repository. To do this, we used mutual TLS (mTLS). If you’re unfamiliar with mTLS, Cloudflare has a great explainer.

At first, I wasn’t sure how to get OPKG to support mTLS. But after digging into the source code (libopkg/opkg_conf.c), I found these relevant options:

#if WITH_SSLCURL && WITH_CURL
{"ssl_engine", OPKG_OPT_TYPE_STRING, &_conf.ssl_engine},
{"ssl_cert", OPKG_OPT_TYPE_STRING, &_conf.ssl_cert},
{"ssl_cert_type", OPKG_OPT_TYPE_STRING, &_conf.ssl_cert_type},
{"ssl_key", OPKG_OPT_TYPE_STRING, &_conf.ssl_key},
{"ssl_key_type", OPKG_OPT_TYPE_STRING, &_conf.ssl_key_type},
{"ssl_key_passwd", OPKG_OPT_TYPE_STRING, &_conf.ssl_key_passwd},
{"ssl_ca_file", OPKG_OPT_TYPE_STRING, &_conf.ssl_ca_file},
{"ssl_ca_path", OPKG_OPT_TYPE_STRING, &_conf.ssl_ca_path},
{"ssl_dont_verify_peer", OPKG_OPT_TYPE_BOOL, &_conf.ssl_dont_verify_peer},
{"ftp_explicit_ssl", OPKG_OPT_TYPE_BOOL, &_conf.ftp_explicit_ssl},
#endif

If your OPKG build is compiled with SSL-enabled curl, you can use the following config options for mTLS authentication:

• ssl_key
• ssl_key_type
• ssl_key_passwd
• ssl_ca_file
• ssl_cert
• ssl_cert_type

Here’s an example of what your opkg.conf might look like:

dest root /
dest ram /tmp
arch all 100
arch armv7l 200

option ssl_cert_type PEM
option ssl_cert /mnt/os/opkg/opkg.crt
option ssl_key_type PEM
option ssl_key /mnt/os/opkg/opkg.key
option ssl_ca_file /mnt/os/opkg/ca.crt

src/gz myrepo https://myrepo.url/

Configuring Istio for mTLS

To get this working in Kubernetes with Istio, you’ll need just three components:

1. A Secret containing the CA certificate and the client certificate/key.
2. An Istio Gateway configured for mutual TLS.
3. An Istio VirtualService routing external traffic to your internal service.

Example Secret

apiVersion: v1
kind: Secret
metadata:
  name: name-you-want-credential
  namespace: istio-system
type: Opaque
data:
  ca.crt: (base64-encoded CA certificate)
  tls.crt: (base64-encoded client certificate)
  tls.key: (base64-encoded private key)

Istio Gateway (mTLS mode)

The key part here is setting the TLS mode to MUTUAL:

apiVersion: networking.istio.io/v1
kind: Gateway
metadata:
  name: 
  namespace: 
spec:
  selector:
    istio: gateway
  servers:
  - hosts:
    - 
    port:
      name: https
      number: 443
      protocol: HTTPS
    tls:
      credentialName: 
      mode: MUTUAL

VirtualService

This routes external traffic from the gateway to your internal Kubernetes service:

apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
  name: 
  namespace: 
spec:
  gateways:
  - /
  hosts:
  - 
  http:
  - route:
    - destination:
        host: ..svc.cluster.local
        port:
          number: 

With these simple steps, your OPKG client will connect to the repository using mTLS, secured and routed through Istio.

Enjoy!