Skip to content

Commit

Permalink
Merge pull request #13 from WorldHealthOrganization/fix/mtls-certs-co…
Browse files Browse the repository at this point in the history
…nfig-for-tng-connection

fix: mtls certs config for tng connection
  • Loading branch information
ascheibal authored Nov 24, 2023
2 parents d890889 + 079b865 commit 96875db
Show file tree
Hide file tree
Showing 3 changed files with 117 additions and 1 deletion.
58 changes: 58 additions & 0 deletions certs/From Files to secrets to container with mounted volumes.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
### How to populate the keystores and truststores, trustanchor files in k8s cluster
A general approach how to secrets are mounted volumes can be found in the official [documentation](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#create-a-pod-that-has-access-to-the-secret-data-through-a-volume)
1.) generate the keystore, truststore trust_anchor as described in [PlaceYourGatewayAccessKeysHere.md](PlaceYourGatewayAccessKeysHere.md)
2.) combine the resulting files in a single secret with
```(bash)
kubectl create secret generic mtls_secret --dry-run=client -o yaml --from-file=tls_key_store.p12 --from-file=tng_tls_server_truststore.p12 --from-file=trustanchor_store.jks > mtls_secret.yaml
kubectl create secret generic <secret-name> --dry-run=client -o yaml --from-file=<file1.p12> --from-file=<file2>.p12 --from-file=<file3.jks> > combined_tls_secret.yaml
```
this will result in a yaml file containing the base64 encoded file contents of that three files
```(json)
apiVersion: v1
data:
tls_key_store.p12: MIIF3wIBAzCCBZUGDQEJFDEkHiIAYwBsAGkAZQBuAHQAYwByAGUAZABlAG4AdABpAGEAbABzMEEwMTANBglghkgBZQMEAgEFAAQgt/aPlSTVrkAIplPg++vrX...../czGzdjH1XPrutiae8EAFoECKv4c1pYD2TDAgIIAA==
trustanchor_store.jks: /u3+7QAAAAIAAAABAAAAAgAadG5nLXRscy1zZXJ2ZXItY2VydGlmaWNhdGUAAAGLVC9h5gAFWC41MDkAAAUaMIIFFjCCAv6gAwIBAgIRAJErCEr
tng_tls_server_truststore.p12: /u3+7QAAAAIAAAABAAAAAgAXoB1.....lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4avAuvDsz
kind: Secret
metadata:
creationTimestamp: null
name: mtls_secret
```
This file then can be temporarily included in your helm charts or directly applied to your cluster with
```(shell)
kubectl apply -f mtls_secret.yaml # will apply the secret to current context
```
**Note that your secrets with keystores/truststores contain sensible data. Keep them in save place**

In the deployment of your helm chart include the the secret as volumes in the template spec
````(helm)
spec:
template:
spec:
volumes:
- name: secrets-jks
secret:
secretName: mtls-secret
items:
- key: tls_key_store.p12
path: tls_key_store.p12
- key: trustanchor_store.jks
path: trustanchor_store.jks
- key: tng_tls_server_truststore.p12
path: tng_tls_server_truststore.p12
````
The items array is optional as long as the keynames reflect the filenames and all keys in the secret
shall be mapped to files

The according volume mounts are defined in the container section
````(helm)
spec:
templates:
spec:
containers:
volumeMounts:
- name: secrets-jks
mountPath: /certs
readOnly: true
````

37 changes: 37 additions & 0 deletions k8s/helm/tngkds/charts/tngkds-backend/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,32 @@ spec:
secretKeyRef:
name: {{ include "tngkds-backend.fullname" . }}-secret
key: pgPassword
- name: DGC_GATEWAY_CONNECTOR_TLS_TRUST_STORE_PATH
value: {{ .Values.gateway.connector.tls_trust_store.path }}
- name: DGC_GATEWAY_CONNECTOR_TLS_TRUST_STORE_PASSWORD
value: {{ .Values.gateway.connector.tls_trust_store.password }}
- name: DGC_GATEWAY_CONNECTOR_TLS_TRUST_STORE_ALIAS
value: {{ .Values.gateway.connector.tls_trust_store.alias }}
- name: DGC_GATEWAY_CONNECTOR_TLS_KEY_STORE_PATH
value: {{ .Values.gateway.connector.tls_key_store.path }}
- name: DGC_GATEWAY_CONNECTOR_TLS_KEY_STORE_PASSWORD
value: {{ .Values.gateway.connector.tls_key_store.password }}
- name: DGC_GATEWAY_CONNECTOR_TLS_KEY_STORE_ALIAS
value: {{.Values.gateway.connector.tls_key_store.alias }}
- name: DGC_GATEWAY_CONNECTOR_TRUST_ANCHOR_PATH
value: {{ .Values.gateway.connector.trust_anchor.path }}
- name: DGC_GATEWAY_CONNECTOR_TRUST_ANCHOR_PASSWORD
value: {{ .Values.gateway.connector.trust_anchor.password }}
- name: DGC_GATEWAY_CONNECTOR_TRUST_ANCHOR_ALIAS
value: {{ .Values.gateway.connector.trust_anchor.alias }}
- name: DGC_GATEWAY_CONNECTOR_ENABLED
value: {{ .Values.gateway.connector.enabled |quote }}
- name: DGC_GATEWAY_CONNECTOR_ENDPOINT
value: {{ .Values.gateway.connector.endpoint }}
volumeMounts:
- name: secrets-jks
mountPath: /certs
readOnly: true
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- with .Values.nodeSelector }}
Expand All @@ -71,3 +97,14 @@ spec:
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: secrets-jks
secret:
secretName: mtls-secret
items:
- key: tls_key_store.p12
path: tls_key_store.p12
- key: trustanchor_store.jks
path: trustanchor_store.jks
- key: tng_tls_server_truststore.p12
path: tng_tls_server_truststore.p12
23 changes: 22 additions & 1 deletion k8s/helm/tngkds/charts/tngkds-backend/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ image:
repository: ghcr.io/worldhealthorganization/tng-key-distribution/tng-key-distribution
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: "0.0.1-2840d04"
tag: "0.0.1-d890889" #"0.0.1-2840d04"

#kubectl -n <k8s-namespace> create secret docker-registry <k8s-docker-registry-secret-name> --docker-server=ghcr.io --docker-username=<github-username> --docker-password=<github-personal-access-token> --docker-email=<email-address> -o yaml
#kubectl -n kds create secret docker-registry tng-distribution-pull-secret --docker-server=ghcr.io --docker-username=anonymous --docker-password=<PAT> [email protected] -o yaml
Expand Down Expand Up @@ -110,3 +110,24 @@ spring:
# Server port
server:
port: 8080


gateway:
connector:
enabled: true
endpoint: <endpoint of the tng>
proxy:
enabled: false
max-cache-age: 300
tls_trust_store: #CA of TNG Gateway of TLS certificate
alias: <alias of the cert in truststore>
password: <password to open truststore>
path: <full pathname of the truststore file>
tls_key_store: # client cert key pair of participant
alias: <alias of the cert in keystore>
password: <password to open keystore>
path: <full path of the keystore file>
trust_anchor: # TA pem file of TNG that was used for signing
alias: <alias of the trust_anchor chert>
password: <password to open trust_anchor_store>
path: <full path of the trust_anchor_store>

0 comments on commit 96875db

Please sign in to comment.