Loading...

XML

Word

Printable

Type: Task
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: None
Component/s: 3scale Operator
Labels:

Epic Link:
Customer provided secrets to 3scale
Blocked:
True
Blocked Reason:
https://issues.redhat.com/browse/THREESCALE-11296
Ready:
False
3Scale PT Tested upstream:
Not Started
3scale PT Docs:
Not Started
3scale PT Product Specs:
Not Started
3scale PT Product Update Ready:
Not Started
3scale PT Released In Saas:
Not Started
3scale PT Verified Product:
Not Started
Target Release:

2.16.0 GA
Git Pull Request:
https://github.com/3scale/3scale-operator/pull/1025
Intelligence Requested:
Market:

Sprint:
RHOAM Sprint 64, RHOAM Sprint 65, RHOAM Sprint 66

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

We need porta and apisonator to be able to load TLS details to connect to Redis. In particular, we need:

CA certificate
Client certificate
Client private key

Those can be mounted wherever the operator decides, but the operator should set the next environment variables to inform porta and apisonator where the files are:

Backend:
- CONFIG_REDIS_CA_FILE and CONFIG_QUEUES_CA_FILE for the CA certificate
- CONFIG_REDIS_CERT and CONFIG_QUEUES_CERT for the client certificate
- CONFIG_REDIS_PRIVATE_KEY and CONFIG_QUEUES_PRIVATE_KEY for the client key
- CONFIG_REDIS_SSL and CONFIG_QUEUES_SSL must be set to true when any of the above is present
System:
- REDIS_CA_FILE and BACKEND_REDIS_CA_FILE for the CA certificate
- REDIS_CLIENT_CERT and BACKEND_REDIS_CLIENT_CERT for the client certificate
- REDIS_PRIVATE_KEY and BACKEND_REDIS_PRIVATE_KEY for the client key
- REDIS_SSL and BACKEND_REDIS_SSL must be set to true when any of the above is present

The client should create the next resources

TLS Secret (docs) for the CA certificate
TLS Secret for the client cert and key

Would like this:

apiVersion: v1
kind: Secret
metadata:
  name: secret-tls
type: kubernetes.io/tls
data:
  # values are base64 encoded, which obscures them but does NOT provide
  # any useful level of confidentiality
  tls.crt: |
    LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNVakNDQWJzQ0FnMytNQTBHQ1NxR1NJYjNE
    UUVCQlFVQU1JR2JNUXN3Q1FZRFZRUUdFd0pLVURFT01Bd0cKQTFVRUNCTUZWRzlyZVc4eEVEQU9C
    Z05WQkFjVEIwTm9kVzh0YTNVeEVUQVBCZ05WQkFvVENFWnlZVzVyTkVSRQpNUmd3RmdZRFZRUUxF
    dzlYWldKRFpYSjBJRk4xY0hCdmNuUXhHREFXQmdOVkJBTVREMFp5WVc1ck5FUkVJRmRsCllpQkRR
    VEVqTUNFR0NTcUdTSWIzRFFFSkFSWVVjM1Z3Y0c5eWRFQm1jbUZ1YXpSa1pDNWpiMjB3SGhjTk1U
    TXcKTVRFeE1EUTFNVE01V2hjTk1UZ3dNVEV3TURRMU1UTTVXakJMTVFzd0NRWURWUVFHREFKS1VE
    RVBNQTBHQTFVRQpDQXdHWEZSdmEzbHZNUkV3RHdZRFZRUUtEQWhHY21GdWF6UkVSREVZTUJZR0Ex
    VUVBd3dQZDNkM0xtVjRZVzF3CmJHVXVZMjl0TUlHYU1BMEdDU3FHU0liM0RRRUJBUVVBQTRHSUFE
    Q0JoQUo5WThFaUhmeHhNL25PbjJTbkkxWHgKRHdPdEJEVDFKRjBReTliMVlKanV2YjdjaTEwZjVN
    Vm1UQllqMUZTVWZNOU1vejJDVVFZdW4yRFljV29IcFA4ZQpqSG1BUFVrNVd5cDJRN1ArMjh1bklI
    QkphVGZlQ09PekZSUFY2MEdTWWUzNmFScG04L3dVVm16eGFLOGtCOWVaCmhPN3F1TjdtSWQxL2pW
    cTNKODhDQXdFQUFUQU5CZ2txaGtpRzl3MEJBUVVGQUFPQmdRQU1meTQzeE15OHh3QTUKVjF2T2NS
    OEtyNWNaSXdtbFhCUU8xeFEzazlxSGtyNFlUY1JxTVQ5WjVKTm1rWHYxK2VSaGcwTi9WMW5NUTRZ
    RgpnWXcxbnlESnBnOTduZUV4VzQyeXVlMFlHSDYyV1hYUUhyOVNVREgrRlowVnQvRGZsdklVTWRj
    UUFEZjM4aU9zCjlQbG1kb3YrcE0vNCs5a1h5aDhSUEkzZXZ6OS9NQT09Ci0tLS0tRU5EIENFUlRJ
    RklDQVRFLS0tLS0K    
  # In this example, the key data is not a real PEM-encoded private key
  tls.key: |
    RXhhbXBsZSBkYXRhIGZvciB0aGUgVExTIGNydCBmaWVsZA==

Then, we would need some yaml keywords so the user can mount the files easily. This is a suggestion:

apiVersion: apps.3scale.net/v1alpha1
kind: APIManager
metadata:
  name: apimanager1
spec:
  system:
    redisCaCertRef:
      name: my-secret-with-ca-cert
    redisClientCertRef:
      name: my-secret-with-client-cert
  backend:
    redisCaCertRef:
      name: my-secret-with-ca-cert
    redisClientCertRef:
      name: my-secret-with-client-cert

Essentially, this is create a secret with the tls cert and key, mount that to the pod and create an envar pointing at the file location. This should work for backend and system:

Backend: listener and worker pods
System: app and sidekiq pods

blocks

THREESCALE-11453 Add validation for TLS and ACL certs/creds

is related to

THREESCALE-10908 3scale Operator changes to support TLS/ACL changes for Redis

To Develop

THREESCALE-10870 Apisonator: CI: Add jobs for all supported Redis deployments

Closed

relates to

THREESCALE-8404 TLS and ACL support for Redis connection

To Test (QE)

links to

3scale/3scale-operator#1025: [WIP]THREESCALE-11020 Redis TLS certs and keys for porta and backend

RHEA-2024:128529 Red Hat 3scale API Management 2.15.0 Release - Container Images

mentioned on

Merge request - Updated US source to: e0a9b07 Accept sentinels credentials in the URL (#398)

Merge request - Updated US source to: f53f084 Merge pull request #391 from jlledom/THREESCALE-8404-acl-tls-redis

(1 links to, 2 mentioned on)

Assignee:: Valery Mogilevsky

Reporter:: Joan Lledo

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2024/05/03 8:40 AM

Updated:: 2024/11/04 3:17 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates