-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #13 from WorldHealthOrganization/fix/mtls-certs-co…
…nfig-for-tng-connection fix: mtls certs config for tng connection
- Loading branch information
Showing
3 changed files
with
117 additions
and
1 deletion.
There are no files selected for viewing
58 changes: 58 additions & 0 deletions
58
certs/From Files to secrets to container with mounted volumes.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
### How to populate the keystores and truststores, trustanchor files in k8s cluster | ||
A general approach how to secrets are mounted volumes can be found in the official [documentation](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#create-a-pod-that-has-access-to-the-secret-data-through-a-volume) | ||
1.) generate the keystore, truststore trust_anchor as described in [PlaceYourGatewayAccessKeysHere.md](PlaceYourGatewayAccessKeysHere.md) | ||
2.) combine the resulting files in a single secret with | ||
```(bash) | ||
kubectl create secret generic mtls_secret --dry-run=client -o yaml --from-file=tls_key_store.p12 --from-file=tng_tls_server_truststore.p12 --from-file=trustanchor_store.jks > mtls_secret.yaml | ||
kubectl create secret generic <secret-name> --dry-run=client -o yaml --from-file=<file1.p12> --from-file=<file2>.p12 --from-file=<file3.jks> > combined_tls_secret.yaml | ||
``` | ||
this will result in a yaml file containing the base64 encoded file contents of that three files | ||
```(json) | ||
apiVersion: v1 | ||
data: | ||
tls_key_store.p12: MIIF3wIBAzCCBZUGDQEJFDEkHiIAYwBsAGkAZQBuAHQAYwByAGUAZABlAG4AdABpAGEAbABzMEEwMTANBglghkgBZQMEAgEFAAQgt/aPlSTVrkAIplPg++vrX...../czGzdjH1XPrutiae8EAFoECKv4c1pYD2TDAgIIAA== | ||
trustanchor_store.jks: /u3+7QAAAAIAAAABAAAAAgAadG5nLXRscy1zZXJ2ZXItY2VydGlmaWNhdGUAAAGLVC9h5gAFWC41MDkAAAUaMIIFFjCCAv6gAwIBAgIRAJErCEr | ||
tng_tls_server_truststore.p12: /u3+7QAAAAIAAAABAAAAAgAXoB1.....lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4avAuvDsz | ||
kind: Secret | ||
metadata: | ||
creationTimestamp: null | ||
name: mtls_secret | ||
``` | ||
This file then can be temporarily included in your helm charts or directly applied to your cluster with | ||
```(shell) | ||
kubectl apply -f mtls_secret.yaml # will apply the secret to current context | ||
``` | ||
**Note that your secrets with keystores/truststores contain sensible data. Keep them in save place** | ||
|
||
In the deployment of your helm chart include the the secret as volumes in the template spec | ||
````(helm) | ||
spec: | ||
template: | ||
spec: | ||
volumes: | ||
- name: secrets-jks | ||
secret: | ||
secretName: mtls-secret | ||
items: | ||
- key: tls_key_store.p12 | ||
path: tls_key_store.p12 | ||
- key: trustanchor_store.jks | ||
path: trustanchor_store.jks | ||
- key: tng_tls_server_truststore.p12 | ||
path: tng_tls_server_truststore.p12 | ||
```` | ||
The items array is optional as long as the keynames reflect the filenames and all keys in the secret | ||
shall be mapped to files | ||
|
||
The according volume mounts are defined in the container section | ||
````(helm) | ||
spec: | ||
templates: | ||
spec: | ||
containers: | ||
volumeMounts: | ||
- name: secrets-jks | ||
mountPath: /certs | ||
readOnly: true | ||
```` | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -10,7 +10,7 @@ image: | |
repository: ghcr.io/worldhealthorganization/tng-key-distribution/tng-key-distribution | ||
pullPolicy: IfNotPresent | ||
# Overrides the image tag whose default is the chart appVersion. | ||
tag: "0.0.1-2840d04" | ||
tag: "0.0.1-d890889" #"0.0.1-2840d04" | ||
|
||
#kubectl -n <k8s-namespace> create secret docker-registry <k8s-docker-registry-secret-name> --docker-server=ghcr.io --docker-username=<github-username> --docker-password=<github-personal-access-token> --docker-email=<email-address> -o yaml | ||
#kubectl -n kds create secret docker-registry tng-distribution-pull-secret --docker-server=ghcr.io --docker-username=anonymous --docker-password=<PAT> [email protected] -o yaml | ||
|
@@ -110,3 +110,24 @@ spring: | |
# Server port | ||
server: | ||
port: 8080 | ||
|
||
|
||
gateway: | ||
connector: | ||
enabled: true | ||
endpoint: <endpoint of the tng> | ||
proxy: | ||
enabled: false | ||
max-cache-age: 300 | ||
tls_trust_store: #CA of TNG Gateway of TLS certificate | ||
alias: <alias of the cert in truststore> | ||
password: <password to open truststore> | ||
path: <full pathname of the truststore file> | ||
tls_key_store: # client cert key pair of participant | ||
alias: <alias of the cert in keystore> | ||
password: <password to open keystore> | ||
path: <full path of the keystore file> | ||
trust_anchor: # TA pem file of TNG that was used for signing | ||
alias: <alias of the trust_anchor chert> | ||
password: <password to open trust_anchor_store> | ||
path: <full path of the trust_anchor_store> |