-
Task
-
Resolution: Unresolved
-
Major
-
None
-
None
-
True
-
False
-
Not Started
-
Not Started
-
Not Started
-
Not Started
-
Not Started
-
Not Started
-
-
-
RHOAM Sprint 64, RHOAM Sprint 65, RHOAM Sprint 66
We need porta and apisonator to be able to load TLS details to connect to Redis. In particular, we need:
- CA certificate
- Client certificate
- Client private key
Those can be mounted wherever the operator decides, but the operator should set the next environment variables to inform porta and apisonator where the files are:
- Backend:
- CONFIG_REDIS_CA_FILE and CONFIG_QUEUES_CA_FILE for the CA certificate
- CONFIG_REDIS_CERT and CONFIG_QUEUES_CERT for the client certificate
- CONFIG_REDIS_PRIVATE_KEY and CONFIG_QUEUES_PRIVATE_KEY for the client key
- CONFIG_REDIS_SSL and CONFIG_QUEUES_SSL must be set to true when any of the above is present
- System:
- REDIS_CA_FILE and BACKEND_REDIS_CA_FILE for the CA certificate
- REDIS_CLIENT_CERT and BACKEND_REDIS_CLIENT_CERT for the client certificate
- REDIS_PRIVATE_KEY and BACKEND_REDIS_PRIVATE_KEY for the client key
- REDIS_SSL and BACKEND_REDIS_SSL must be set to true when any of the above is present
The client should create the next resources
- TLS Secret (docs) for the CA certificate
- TLS Secret for the client cert and key
-
- Would like this:
apiVersion: v1 kind: Secret metadata: name: secret-tls type: kubernetes.io/tls data: # values are base64 encoded, which obscures them but does NOT provide # any useful level of confidentiality tls.crt: | LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNVakNDQWJzQ0FnMytNQTBHQ1NxR1NJYjNE UUVCQlFVQU1JR2JNUXN3Q1FZRFZRUUdFd0pLVURFT01Bd0cKQTFVRUNCTUZWRzlyZVc4eEVEQU9C Z05WQkFjVEIwTm9kVzh0YTNVeEVUQVBCZ05WQkFvVENFWnlZVzVyTkVSRQpNUmd3RmdZRFZRUUxF dzlYWldKRFpYSjBJRk4xY0hCdmNuUXhHREFXQmdOVkJBTVREMFp5WVc1ck5FUkVJRmRsCllpQkRR VEVqTUNFR0NTcUdTSWIzRFFFSkFSWVVjM1Z3Y0c5eWRFQm1jbUZ1YXpSa1pDNWpiMjB3SGhjTk1U TXcKTVRFeE1EUTFNVE01V2hjTk1UZ3dNVEV3TURRMU1UTTVXakJMTVFzd0NRWURWUVFHREFKS1VE RVBNQTBHQTFVRQpDQXdHWEZSdmEzbHZNUkV3RHdZRFZRUUtEQWhHY21GdWF6UkVSREVZTUJZR0Ex VUVBd3dQZDNkM0xtVjRZVzF3CmJHVXVZMjl0TUlHYU1BMEdDU3FHU0liM0RRRUJBUVVBQTRHSUFE Q0JoQUo5WThFaUhmeHhNL25PbjJTbkkxWHgKRHdPdEJEVDFKRjBReTliMVlKanV2YjdjaTEwZjVN Vm1UQllqMUZTVWZNOU1vejJDVVFZdW4yRFljV29IcFA4ZQpqSG1BUFVrNVd5cDJRN1ArMjh1bklI QkphVGZlQ09PekZSUFY2MEdTWWUzNmFScG04L3dVVm16eGFLOGtCOWVaCmhPN3F1TjdtSWQxL2pW cTNKODhDQXdFQUFUQU5CZ2txaGtpRzl3MEJBUVVGQUFPQmdRQU1meTQzeE15OHh3QTUKVjF2T2NS OEtyNWNaSXdtbFhCUU8xeFEzazlxSGtyNFlUY1JxTVQ5WjVKTm1rWHYxK2VSaGcwTi9WMW5NUTRZ RgpnWXcxbnlESnBnOTduZUV4VzQyeXVlMFlHSDYyV1hYUUhyOVNVREgrRlowVnQvRGZsdklVTWRj UUFEZjM4aU9zCjlQbG1kb3YrcE0vNCs5a1h5aDhSUEkzZXZ6OS9NQT09Ci0tLS0tRU5EIENFUlRJ RklDQVRFLS0tLS0K # In this example, the key data is not a real PEM-encoded private key tls.key: | RXhhbXBsZSBkYXRhIGZvciB0aGUgVExTIGNydCBmaWVsZA==
Then, we would need some yaml keywords so the user can mount the files easily. This is a suggestion:
apiVersion: apps.3scale.net/v1alpha1 kind: APIManager metadata: name: apimanager1 spec: system: redisCaCertRef: name: my-secret-with-ca-cert redisClientCertRef: name: my-secret-with-client-cert backend: redisCaCertRef: name: my-secret-with-ca-cert redisClientCertRef: name: my-secret-with-client-cert
Essentially, this is create a secret with the tls cert and key, mount that to the pod and create an envar pointing at the file location. This should work for backend and system:
- Backend: listener and worker pods
- System: app and sidekiq pods
- blocks
-
THREESCALE-11453 Add validation for TLS and ACL certs/creds
- New
- is related to
-
THREESCALE-10908 3scale Operator changes to support TLS/ACL changes for Redis
- To Develop
-
THREESCALE-10870 Apisonator: CI: Add jobs for all supported Redis deployments
- Closed
- relates to
-
THREESCALE-8404 TLS and ACL support for Redis connection
- To Test (QE)
- links to
-
RHEA-2024:128529 Red Hat 3scale API Management 2.15.0 Release - Container Images
- mentioned on