This repository provides a Docker sandbox environment for the Secure applications with mutual TLS tutorial.
This sandbox demonstrates securing microservice communication using HashiCorp Vault as a certificate authority (CA) for mutual TLS (mTLS). The tutorial walks through a progression from insecure plaintext communication to fully authenticated, encrypted service-to-service traffic.
The sandbox includes three Docker Compose configurations representing different phases:
| File | Description |
|---|---|
docker-compose.insecure.yml |
Services communicate over plaintext HTTP |
docker-compose.secure.yml |
Full mTLS with Vault PKI |
docker-compose.yml |
Complete reference configuration |
- Vault — PKI secrets engine configured with root and intermediate CAs
- Vault Agent — Sidecar containers that manage certificate lifecycle for each service
- Order Service — Python microservice that calls Inventory Service
- Inventory Service — Python microservice providing inventory data
- Rogue Service — Malicious service with self-signed certificates (blocked by mTLS)
- Rogue Shell — Network troubleshooting container for traffic inspection
policies/ # Vault ACL policies for each service
vault-agent/ # Vault Agent configurations and templates
scripts/ # Setup, demo, and utility scripts
