Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Defeature Kong external TLS generated from local CA #2928

Closed
bnevis-i opened this issue Dec 7, 2020 · 0 comments · Fixed by #2940
Closed

Defeature Kong external TLS generated from local CA #2928

bnevis-i opened this issue Dec 7, 2020 · 0 comments · Fixed by #2940
Assignees
@beaufrusetta
Labels
3-high priority denoting release-blocking issues enhancement New feature or request security-services
Milestone
Ireland

Comments

@bnevis-i
Copy link
Collaborator

bnevis-i commented Dec 7, 2020

🚀 Feature Request

Description

In accordance with the TLS ADR, bootstrapping support for Kong TLS shall be defeatured. This feature currently generates a local CA and leaf certificate for Kong external TLS, and installs these assets in the Kong configuration.

Describe the solution you'd like

Kong TLS defeaturing should be implemented as the following separable features:

  • security-secretstore-setup should be changed such that

    • If configuration parameters for Kong TLS are absent or blank, security-secretstore-setup shall function as normal with the exception that the Kong TLS certificate and private key will not be uploaded to Vault
    • The configuation.toml values that control Kong TLS certificate and key uploading shall be blank by default

  • edgex-proxy should be changed such that

    • If configuration parameters that control retrieval of the Kong TLS certificate and private key are absent or blank, edgex-proxy will configure Kong as normal, but skip configuration of the TLS certificate and private key on the external endpoint
    • The configuration.toml values that pertain to TLS configuration shall be blank by default
@bnevis-i bnevis-i added enhancement New feature or request security-services 3-high priority denoting release-blocking issues labels Dec 7, 2020
@bnevis-i bnevis-i added this to the Ireland milestone Dec 7, 2020
@beaufrusetta beaufrusetta mentioned this issue Dec 11, 2020
Merged
6 tasks
@jim-wang-intel jim-wang-intel linked a pull request Dec 11, 2020 that will close this issue
feat: create optional kong certificate config options #2940
Merged
6 tasks
lenny-goodell pushed a commit that referenced this issue Dec 11, 2020
@beaufrusetta
feat(security): kong cert paths are now optional (#2940)
c80d9cd 
The kong config options for CertPath, CertFilePath, and KeyFilePath
in configuration.toml are now optional. By default, those values
are now empty. I also cleaned up a single quote situation in the
token provider configuration.toml.

fixes: #2928

Signed-off-by: Beau Frusetta <[email protected]>
jim-wang-intel pushed a commit to jim-wang-intel/edgex-go that referenced this issue Dec 15, 2020
@beaufrusetta @jim-wang-intel
feat(security): kong cert paths are now optional (edgexfoundry#2940)
c763213 
The kong config options for CertPath, CertFilePath, and KeyFilePath
in configuration.toml are now optional. By default, those values
are now empty. I also cleaned up a single quote situation in the
token provider configuration.toml.

fixes: edgexfoundry#2928

Signed-off-by: Beau Frusetta <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@beaufrusetta beaufrusetta

Labels
3-high priority denoting release-blocking issues enhancement New feature or request security-services
Projects
None yet
Milestone
Ireland
Development

Successfully merging a pull request may close this issue.

feat: create optional kong certificate config options
2 participants
@beaufrusetta @bnevis-i