As part of IBM®
Guardium ® Quantum Safe installation, you need
to set up Transport Layer Security (TLS) certificates in Kubernetes. The TLS certificates can be
self-signed certificates can ensure that the identity of your domain and its communication is
verified and secure.
Before you begin
Before you start the process of setting up seal-signed certificates in Kubernetes, ensure
that you have the following Kubernetes set up.
- A running Kubernetes cluster
- Access to the Kubernetes cluster
- Ingress Nginx Controller that is deployed on the Rubbernecks cluster
- Nip.io to map any IP Address to a hostname
About this task
You can use the following steps to create a domain name that uses self-signed TLS
certificates in Kubernetes.
Procedure
-
Create Domain Name System (DNS) by using self-signed certificate through OpenSSL.
root@k8s-pentest-master:~ mkdir certs && cd certs
root@k8s-pentest-master:~/certs~ openssl req -x509 -newkey rsa:4096 -sha256 -days 365 -nodes -keyout tls.key -out tls.crt -subj "/CN=keycloak.k8sdev-gqs.nip.io" -addext "subjectAltName=DNS:keycloak.k8sdev-gqs.nip.io"
The tls.crt and tls.key files are generated.
- Use the tls.key and tls.crt files to map them in a secret and store it in Kubernetes as a
secret. Later, we will use this secret for Ingress service creation.
root@k8s-pentest-master:~/certs~ kubectl create secret tls k8s-common-domain-tls --cert=tls.crt --key=tls.key -n dev
Where, -n dev signifies that we have used dev namespace, which you can change as
required.
- Create an ingress service file by using the TLS secret created in step 2.
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
name: gqs-ui-ingress
namespace: dev
annotations:
nginx.ingress.kubernetes.io/backend-protocol: HTTP
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx
tls:
- hosts:
- k8sdev-gqs.nip.io
secretName: k8s-common-domain-tls
rules:
- host: k8sdev-gqs.nip.io
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: gqs-ui
port:
number: 3000
You can access the UI service on HTTPS over Ingress through https://k8sdev-gqs.nip.io:30837.
Note:
As Guardium Quantum
Safe uses vanilla Kubernetes cluster
and Ingress Nginx controller service is deployed as type load balancer, the service is mapped with
external port. The port acts as a NodePort on which the services are mapped.
root@master-k8s-node:~# kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller LoadBalancer 10.102.37.80 10.242.64.1 80:30752/TCP,443:30837/TCP 56d
Note:
You can also add multiple paths for each service and can make use of one common ingress yaml.
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
name: k8s-common-ingress
namespace: dev
annotations:
freelens.app/resource-version: v1
nginx.ingress.kubernetes.io/backend-protocol: HTTP
nginx.ingress.kubernetes.io/proxy-body-size: 100m
spec:
ingressClassName: nginx
tls:
- hosts:
- gqs.k8sdev.nip.io
secretName: k8s-common-tls
rules:
- host: gqs.k8sdev.nip.io
http:
paths:
- path: /gqs-admin
pathType: Prefix
backend:
service:
name: gqs-admin
port:
number: 8081
- path: /
pathType: Prefix
backend:
service:
name: gqs-ui
port:
number: 3000
- path: /gqs-auth
pathType: Prefix
backend:
service:
name: gqs-auth
port:
number: 8090
- path: /gqs-apigateway
pathType: Prefix
backend:
service:
name: gqs-apigateway
port:
number: 8443
- path: /gqs-policy-risk
pathType: Prefix
backend:
service:
name: gqs-policy-risk
port:
number: 8083
- path: /gqs-integration
pathType: Prefix
backend:
service:
name: gqs-integration
port:
number: 8082
- path: /gqs-bi-evidence
pathType: Prefix
backend:
service:
name: gqs-bi-evidence
port:
number: 8888
- path: /gqs-framework
pathType: Prefix
backend:
service:
name: gqs-framework-test
port:
number: 8080
- path: /secure-file-upload
pathType: Prefix
backend:
service:
name: gqs-secure-file-upload-api
port:
number: 8080