Access peer identity from your application

With an ambient mesh, communication between workloads is automatically secured via mTLS as soon as they are added. One important property of mTLS is that it allows verifying who is sending traffic to a workload.

While authorization policies can be written to enforce policies about which identities are allowed to access which resources, sometimes an application itself can benefit from knowing the peer identity. This can be used for application-specific authorization or observability.

In Gloo Mesh, applications in the ambient mesh can query the mesh to request connection metadata, including the peer identity, which can be used for these purposes.

Peer lookup API

ztunnel exposes peer identity information for mesh-enabled workloads on the link-local address 169.254.169.111, port 80. This endpoint exposes a single API, /connection, which returns metadata about a connection.

Query parameters should be provided for the source (src) and destination (dst) IP and port.

For example, imagine an application running on port 9090 and listening on IP 1.2.3.4. It receives a connection from 6.7.8.9 on port 47234. It can lookup the connection metadata by sending an HTTP GET request to http://169.254.169.111:80/connection?src=6.7.8.9:47234&dst=1.2.3.4:9090.

The metadata service will return metadata in the following format:

{
  "peerIdentity": "spiffe://cluster.local/ns/application/sa/client"
}

The peerIdentity represents the verified identity of the peer.

The request will be rejected if the connection was not established over mTLS, or if there is no current connection matching the query parameters.