Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-11020

Add a way for the user to provide Redis TLS certs and keys for porta and backend

XMLWordPrintable

    • RHOAM Sprint 64, RHOAM Sprint 65, RHOAM Sprint 66

      We need porta and apisonator to be able to load TLS details to connect to Redis. In particular, we need:

      • CA certificate
      • Client certificate
      • Client private key

      Those can be mounted wherever the operator decides, but the operator should set the next environment variables to inform porta and apisonator where the files are:

      • Backend:
        • CONFIG_REDIS_CA_FILE and CONFIG_QUEUES_CA_FILE for the CA certificate
        • CONFIG_REDIS_CERT and CONFIG_QUEUES_CERT for the client certificate
        • CONFIG_REDIS_PRIVATE_KEY and CONFIG_QUEUES_PRIVATE_KEY for the client key
        • CONFIG_REDIS_SSL and CONFIG_QUEUES_SSL must be set to true when any of the above is present
      • System:
        • REDIS_CA_FILE and BACKEND_REDIS_CA_FILE for the CA certificate
        • REDIS_CLIENT_CERT and BACKEND_REDIS_CLIENT_CERT for the client certificate
        • REDIS_PRIVATE_KEY and BACKEND_REDIS_PRIVATE_KEY for the client key
        • REDIS_SSL and BACKEND_REDIS_SSL must be set to true when any of the above is present

      The client should create the next resources

      • TLS Secret (docs) for the CA certificate
      • TLS Secret for the client cert and key
        • Would like this:
        • apiVersion: v1
          kind: Secret
          metadata:
            name: secret-tls
          type: kubernetes.io/tls
          data:
            # values are base64 encoded, which obscures them but does NOT provide
            # any useful level of confidentiality
            tls.crt: |
              LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNVakNDQWJzQ0FnMytNQTBHQ1NxR1NJYjNE
              UUVCQlFVQU1JR2JNUXN3Q1FZRFZRUUdFd0pLVURFT01Bd0cKQTFVRUNCTUZWRzlyZVc4eEVEQU9C
              Z05WQkFjVEIwTm9kVzh0YTNVeEVUQVBCZ05WQkFvVENFWnlZVzVyTkVSRQpNUmd3RmdZRFZRUUxF
              dzlYWldKRFpYSjBJRk4xY0hCdmNuUXhHREFXQmdOVkJBTVREMFp5WVc1ck5FUkVJRmRsCllpQkRR
              VEVqTUNFR0NTcUdTSWIzRFFFSkFSWVVjM1Z3Y0c5eWRFQm1jbUZ1YXpSa1pDNWpiMjB3SGhjTk1U
              TXcKTVRFeE1EUTFNVE01V2hjTk1UZ3dNVEV3TURRMU1UTTVXakJMTVFzd0NRWURWUVFHREFKS1VE
              RVBNQTBHQTFVRQpDQXdHWEZSdmEzbHZNUkV3RHdZRFZRUUtEQWhHY21GdWF6UkVSREVZTUJZR0Ex
              VUVBd3dQZDNkM0xtVjRZVzF3CmJHVXVZMjl0TUlHYU1BMEdDU3FHU0liM0RRRUJBUVVBQTRHSUFE
              Q0JoQUo5WThFaUhmeHhNL25PbjJTbkkxWHgKRHdPdEJEVDFKRjBReTliMVlKanV2YjdjaTEwZjVN
              Vm1UQllqMUZTVWZNOU1vejJDVVFZdW4yRFljV29IcFA4ZQpqSG1BUFVrNVd5cDJRN1ArMjh1bklI
              QkphVGZlQ09PekZSUFY2MEdTWWUzNmFScG04L3dVVm16eGFLOGtCOWVaCmhPN3F1TjdtSWQxL2pW
              cTNKODhDQXdFQUFUQU5CZ2txaGtpRzl3MEJBUVVGQUFPQmdRQU1meTQzeE15OHh3QTUKVjF2T2NS
              OEtyNWNaSXdtbFhCUU8xeFEzazlxSGtyNFlUY1JxTVQ5WjVKTm1rWHYxK2VSaGcwTi9WMW5NUTRZ
              RgpnWXcxbnlESnBnOTduZUV4VzQyeXVlMFlHSDYyV1hYUUhyOVNVREgrRlowVnQvRGZsdklVTWRj
              UUFEZjM4aU9zCjlQbG1kb3YrcE0vNCs5a1h5aDhSUEkzZXZ6OS9NQT09Ci0tLS0tRU5EIENFUlRJ
              RklDQVRFLS0tLS0K    
            # In this example, the key data is not a real PEM-encoded private key
            tls.key: |
              RXhhbXBsZSBkYXRhIGZvciB0aGUgVExTIGNydCBmaWVsZA==  

      Then, we would need some yaml keywords so the user can mount the files easily. This is a suggestion:

       

      apiVersion: apps.3scale.net/v1alpha1
      kind: APIManager
      metadata:
        name: apimanager1
      spec:
        system:
          redisCaCertRef:
            name: my-secret-with-ca-cert
          redisClientCertRef:
            name: my-secret-with-client-cert
        backend:
          redisCaCertRef:
            name: my-secret-with-ca-cert
          redisClientCertRef:
            name: my-secret-with-client-cert

       

      Essentially, this is create a secret with the tls cert and key, mount that to the pod and create an envar pointing at the file location. This should work for backend and system:

      • Backend: listener and worker pods
      • System: app and sidekiq pods

       

            vmogilev_rhmi Valery Mogilevsky
            rh-ee-jlledo Joan Lledo
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated: