Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-11020

Add a way for the user to provide Redis TLS certs and keys for porta and backend

XMLWordPrintable

    • RHOAM Sprint 64, RHOAM Sprint 65, RHOAM Sprint 66, RHOAM Sprint 67

      We need porta and apisonator to be able to load TLS details to connect to Redis. In particular, we need:

      • CA certificate
      • Client certificate
      • Client private key

      Those can be mounted wherever the operator decides, but the operator should set the next environment variables to inform porta and apisonator where the files are:

      • Backend:
        • CONFIG_REDIS_CA_FILE and CONFIG_QUEUES_CA_FILE for the CA certificate
        • CONFIG_REDIS_CERT and CONFIG_QUEUES_CERT for the client certificate
        • CONFIG_REDIS_PRIVATE_KEY and CONFIG_QUEUES_PRIVATE_KEY for the client key
        • CONFIG_REDIS_SSL and CONFIG_QUEUES_SSL must be set to true when any of the above is present
      • System:
        • REDIS_CA_FILE and BACKEND_REDIS_CA_FILE for the CA certificate
        • REDIS_CLIENT_CERT and BACKEND_REDIS_CLIENT_CERT for the client certificate
        • REDIS_PRIVATE_KEY and BACKEND_REDIS_PRIVATE_KEY for the client key
        • REDIS_SSL and BACKEND_REDIS_SSL must be set to true when any of the above is present

      The client should create the next resources

      • TLS Secret (docs) for the CA certificate
      • TLS Secret for the client cert and key
        • Would like this:
        • apiVersion: v1
          kind: Secret
          metadata:
            name: secret-tls
          type: kubernetes.io/tls
          data:
            # values are base64 encoded, which obscures them but does NOT provide
            # any useful level of confidentiality
            tls.crt: |
              LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNVakNDQWJzQ0FnMytNQTBHQ1NxR1NJYjNE
              UUVCQlFVQU1JR2JNUXN3Q1FZRFZRUUdFd0pLVURFT01Bd0cKQTFVRUNCTUZWRzlyZVc4eEVEQU9C
              Z05WQkFjVEIwTm9kVzh0YTNVeEVUQVBCZ05WQkFvVENFWnlZVzVyTkVSRQpNUmd3RmdZRFZRUUxF
              dzlYWldKRFpYSjBJRk4xY0hCdmNuUXhHREFXQmdOVkJBTVREMFp5WVc1ck5FUkVJRmRsCllpQkRR
              VEVqTUNFR0NTcUdTSWIzRFFFSkFSWVVjM1Z3Y0c5eWRFQm1jbUZ1YXpSa1pDNWpiMjB3SGhjTk1U
              TXcKTVRFeE1EUTFNVE01V2hjTk1UZ3dNVEV3TURRMU1UTTVXakJMTVFzd0NRWURWUVFHREFKS1VE
              RVBNQTBHQTFVRQpDQXdHWEZSdmEzbHZNUkV3RHdZRFZRUUtEQWhHY21GdWF6UkVSREVZTUJZR0Ex
              VUVBd3dQZDNkM0xtVjRZVzF3CmJHVXVZMjl0TUlHYU1BMEdDU3FHU0liM0RRRUJBUVVBQTRHSUFE
              Q0JoQUo5WThFaUhmeHhNL25PbjJTbkkxWHgKRHdPdEJEVDFKRjBReTliMVlKanV2YjdjaTEwZjVN
              Vm1UQllqMUZTVWZNOU1vejJDVVFZdW4yRFljV29IcFA4ZQpqSG1BUFVrNVd5cDJRN1ArMjh1bklI
              QkphVGZlQ09PekZSUFY2MEdTWWUzNmFScG04L3dVVm16eGFLOGtCOWVaCmhPN3F1TjdtSWQxL2pW
              cTNKODhDQXdFQUFUQU5CZ2txaGtpRzl3MEJBUVVGQUFPQmdRQU1meTQzeE15OHh3QTUKVjF2T2NS
              OEtyNWNaSXdtbFhCUU8xeFEzazlxSGtyNFlUY1JxTVQ5WjVKTm1rWHYxK2VSaGcwTi9WMW5NUTRZ
              RgpnWXcxbnlESnBnOTduZUV4VzQyeXVlMFlHSDYyV1hYUUhyOVNVREgrRlowVnQvRGZsdklVTWRj
              UUFEZjM4aU9zCjlQbG1kb3YrcE0vNCs5a1h5aDhSUEkzZXZ6OS9NQT09Ci0tLS0tRU5EIENFUlRJ
              RklDQVRFLS0tLS0K    
            # In this example, the key data is not a real PEM-encoded private key
            tls.key: |
              RXhhbXBsZSBkYXRhIGZvciB0aGUgVExTIGNydCBmaWVsZA==  

      Then, we would need some yaml keywords so the user can mount the files easily. This is a suggestion:

       

      apiVersion: apps.3scale.net/v1alpha1
      kind: APIManager
      metadata:
        name: apimanager1
      spec:
        system:
          redisCaCertRef:
            name: my-secret-with-ca-cert
          redisClientCertRef:
            name: my-secret-with-client-cert
        backend:
          redisCaCertRef:
            name: my-secret-with-ca-cert
          redisClientCertRef:
            name: my-secret-with-client-cert

       

      Essentially, this is create a secret with the tls cert and key, mount that to the pod and create an envar pointing at the file location. This should work for backend and system:

      • Backend: listener and worker pods
      • System: app and sidekiq pods

       

              vmogilev_rhmi Valery Mogilevsky
              rh-ee-jlledo Joan Lledo
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: