-
Task
-
Resolution: Unresolved
-
Major
-
None
-
None
-
True
-
False
-
Not Started
-
Not Started
-
Not Started
-
Not Started
-
Not Started
-
Not Started
-
-
-
RHOAM Sprint 64, RHOAM Sprint 65, RHOAM Sprint 66, RHOAM Sprint 67
We need porta and apisonator to be able to load TLS details to connect to Redis. In particular, we need:
- CA certificate
- Client certificate
- Client private key
Those can be mounted wherever the operator decides, but the operator should set the next environment variables to inform porta and apisonator where the files are:
- Backend:
- CONFIG_REDIS_CA_FILE and CONFIG_QUEUES_CA_FILE for the CA certificate
- CONFIG_REDIS_CERT and CONFIG_QUEUES_CERT for the client certificate
- CONFIG_REDIS_PRIVATE_KEY and CONFIG_QUEUES_PRIVATE_KEY for the client key
- CONFIG_REDIS_SSL and CONFIG_QUEUES_SSL must be set to true when any of the above is present
- System:
- REDIS_CA_FILE and BACKEND_REDIS_CA_FILE for the CA certificate
- REDIS_CLIENT_CERT and BACKEND_REDIS_CLIENT_CERT for the client certificate
- REDIS_PRIVATE_KEY and BACKEND_REDIS_PRIVATE_KEY for the client key
- REDIS_SSL and BACKEND_REDIS_SSL must be set to true when any of the above is present
The client should create the next resources
- TLS Secret (docs) for the CA certificate
- TLS Secret for the client cert and key
-
- Would like this:
apiVersion: v1 kind: Secret metadata: name: secret-tls type: kubernetes.io/tls data: # values are base64 encoded, which obscures them but does NOT provide # any useful level of confidentiality tls.crt: | LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNVakNDQWJzQ0FnMytNQTBHQ1NxR1NJYjNE UUVCQlFVQU1JR2JNUXN3Q1FZRFZRUUdFd0pLVURFT01Bd0cKQTFVRUNCTUZWRzlyZVc4eEVEQU9C Z05WQkFjVEIwTm9kVzh0YTNVeEVUQVBCZ05WQkFvVENFWnlZVzVyTkVSRQpNUmd3RmdZRFZRUUxF dzlYWldKRFpYSjBJRk4xY0hCdmNuUXhHREFXQmdOVkJBTVREMFp5WVc1ck5FUkVJRmRsCllpQkRR VEVqTUNFR0NTcUdTSWIzRFFFSkFSWVVjM1Z3Y0c5eWRFQm1jbUZ1YXpSa1pDNWpiMjB3SGhjTk1U TXcKTVRFeE1EUTFNVE01V2hjTk1UZ3dNVEV3TURRMU1UTTVXakJMTVFzd0NRWURWUVFHREFKS1VE RVBNQTBHQTFVRQpDQXdHWEZSdmEzbHZNUkV3RHdZRFZRUUtEQWhHY21GdWF6UkVSREVZTUJZR0Ex VUVBd3dQZDNkM0xtVjRZVzF3CmJHVXVZMjl0TUlHYU1BMEdDU3FHU0liM0RRRUJBUVVBQTRHSUFE Q0JoQUo5WThFaUhmeHhNL25PbjJTbkkxWHgKRHdPdEJEVDFKRjBReTliMVlKanV2YjdjaTEwZjVN Vm1UQllqMUZTVWZNOU1vejJDVVFZdW4yRFljV29IcFA4ZQpqSG1BUFVrNVd5cDJRN1ArMjh1bklI QkphVGZlQ09PekZSUFY2MEdTWWUzNmFScG04L3dVVm16eGFLOGtCOWVaCmhPN3F1TjdtSWQxL2pW cTNKODhDQXdFQUFUQU5CZ2txaGtpRzl3MEJBUVVGQUFPQmdRQU1meTQzeE15OHh3QTUKVjF2T2NS OEtyNWNaSXdtbFhCUU8xeFEzazlxSGtyNFlUY1JxTVQ5WjVKTm1rWHYxK2VSaGcwTi9WMW5NUTRZ RgpnWXcxbnlESnBnOTduZUV4VzQyeXVlMFlHSDYyV1hYUUhyOVNVREgrRlowVnQvRGZsdklVTWRj UUFEZjM4aU9zCjlQbG1kb3YrcE0vNCs5a1h5aDhSUEkzZXZ6OS9NQT09Ci0tLS0tRU5EIENFUlRJ RklDQVRFLS0tLS0K # In this example, the key data is not a real PEM-encoded private key tls.key: | RXhhbXBsZSBkYXRhIGZvciB0aGUgVExTIGNydCBmaWVsZA==
Then, we would need some yaml keywords so the user can mount the files easily. This is a suggestion:
apiVersion: apps.3scale.net/v1alpha1 kind: APIManager metadata: name: apimanager1 spec: system: redisCaCertRef: name: my-secret-with-ca-cert redisClientCertRef: name: my-secret-with-client-cert backend: redisCaCertRef: name: my-secret-with-ca-cert redisClientCertRef: name: my-secret-with-client-cert
Essentially, this is create a secret with the tls cert and key, mount that to the pod and create an envar pointing at the file location. This should work for backend and system:
- Backend: listener and worker pods
- System: app and sidekiq pods
- blocks
-
THREESCALE-11453 Add validation for TLS and ACL certs/creds
- New
- is related to
-
THREESCALE-10908 3scale Operator changes to support TLS/ACL changes for Redis
- To Develop
-
THREESCALE-10870 Apisonator: CI: Add jobs for all supported Redis deployments
- Closed
- relates to
-
THREESCALE-8404 TLS and ACL support for Redis connection
- To Test (QE)
- links to
- mentioned on