Configure authentication and TLS for inter-pod communication

Authentication and TLS of inter-pod communication are enabled by default starting with v12.0.3.2.

About this task

Authentication and TLS of inter-Pod communication can be configured using Secret resources. Steps to configure the password for ibm-wex-prod resources are following. If you don't enable this feature, see the last step below.

Procedure

  1. Pull the ibm-wex-ee Docker image from the private registry. The image is pushed to the private registry when the Passport Advantage archive is loaded, for example: 
    docker pull
      mycluster.icp:8500/WEX_LOADED_NAMESPACE/ibm-wex-ee:IMAGE_TAG
    Note: Change the WEX_LOADED_NAMESPACE and the IMAGE_TAG to match your actual namespace and image tag names.
  2. Decide passwords for your release and create a Secret object, like the following: 
    storePassword="YOUR_PASSWORD_1"
databasePassword="YOUR_PASSWORD_2"
discoveryPassword="YOUR_PASSWORD_3"
onewexDockerImage="mycluster.icp:8500/WEX_LOADED_NAMESPACE/ibm-wex-ee:IMAGE_TAG"

mkdir certs
chmod 777 certs
docker run --rm --entrypoint="" -v "`pwd`/certs":"/certs" -w "/certs" -e STORE_PASSWORD="${storePassword}" "${onewexDockerImage}" bash -c "/opt/ibm/wex/sbin/gen_selfsigned_certs.sh && cp -r /wexdata/config/certs/* ."

cat <<EOF | kubectl create -f -
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: "ibm-wex-prod-authentication-tls-secret"
  labels:
    release: "YOUR_RELEASE_NAME"
    component: "authentication-tls-secret"
data:
  storePassword: $(echo -n ${storePassword} | base64 | tr -d '\n')
  databasePassword: $(echo -n ${databasePassword} | base64 | tr -d '\n')
  discoveryPassword: $(echo -n ${discoveryPassword} | base64 | tr -d '\n')
  mtls.jks: $(cat "certs/service/mtls.jks" | base64 | tr -d '\n')
  mtls_trust.jks: $(cat "certs/service/mtls_trust.jks" | base64 | tr -d '\n')
EOF
  3. When an ibm-wex-prod release is configured, select Enable authentication and TLS of internal communication, and input your secret name - for example, ibm-wex-prod-authentication-tls-secret - into the Secret name for authentication and TLS of internal communication textbox, on the Configure page. When you don't need to configure this feature, clear the textbox.