Uploaded image for project: 'Red Hat Service Interconnect (Skupper)'
  1. Red Hat Service Interconnect (Skupper)
  2. SKUPPER-25

Support TLS configuration for Services

XMLWordPrintable

      Technical notes

      • Add the sslProfile to the HTTP2 connectors and listeners when adding a Ingress/Egress bridge.
      • Clients could verify the certificate of the server, therefore the HTTP2 connector will need a CA file.
      • Generate a different TLS certificate per service (including a valid service name), while using the same CA file for all service-focused certs. This CA file could be generated in  Skupper's initialization.
      • TCP connectors/listeners are not covered in this feature.
      • https://docs.google.com/presentation/d/1UtGMNeSlwntLPNrUFvlMjm5alymvdCwxjMaQcU7p6Do/edit?usp=sharing

      Non-functional requirements

       

      Given When Then
      skupper not being installed on a site Executing the command `skupper init`
      • A CA for the site was created and stored as secret (skupper-site-ca)
      • A secret that only contains the CA file will be stored used as TLS config for egress bindings (skupper-service-client)
      skupper is already installed Executing the command `skupper service create` without the flag `enable-tls`
      • Keep same behaviour as it is, creating a listener without sslConfig
      skupper is already installed Executing the command `skupper service create` the flag `enable-tls`
      • A certificate signed with the site CA will be created and stored as a secret following the pattern "skupper-<service name>"
      a service has been created with the flag enableTls Synchronizing service definitions
      • All the connected sites would have the same service bindings with the same tls config for the skupper-services config map
      • The secret will be appended to a volume to the router deployment
      • If a particular site does not have the secret certificate, it would be generated as well using the CA for that site.
      a service has been created with the flag enableTls Updating bridges
      • the HttpListener created in the router will include the sslConfig from the service secret
      a service has been created Removing the service from skupper
      • Check if the secret associated with the service exists and in that case, deleted as well from kubernetes
      skupper not being installed on a site Executing the command `skupper gateway init`
      • A CA for the site was created and stored as secret (skupper-site-ca)
      • A secret that only contains the CA file will be stored used as TLS config for egress bindings (skupper-service-client)
      skupper is already installed Exposing a service with the command `skupper service expose`
      • All the connected sites would have the same service bindings with the same TLS config for the skupper-services config map
      • The secret will be appended to a volume to the router deployment
      • If a particular site does not have the secret certificate, it would be generated as well using the CA for that site.
      • The http2 connector will be created in the router with an ssl profile with the name of the generic client secret for services
      • the http2 listener will be created in the router with a ssl profile with the name of the service secret.
      skupper is already installed Executing the command `skupper delete`
      • The secrets created to support TLS have to be deleted from kubernetes as well.

       

       

        1. TLS configuration-1.png
          TLS configuration-1.png
          27 kB
        2. TLS configuration.png
          TLS configuration.png
          29 kB

              nluaces@redhat.com Noe Luaces
              ansmith@redhat.com Andrew Smith
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: