Simplification of TLS config
This commit is contained in:
sttlab
@@ -50,10 +50,13 @@ gravitee-selfsigned-bootstrap (Issuer, self-signed)
|
||||
|
||||
### cert-manager keystores
|
||||
|
||||
Two secrets include PKCS12 keystores automatically generated by cert-manager:
|
||||
- `api-internal-tls` → `keystore.p12` (used by Jetty)
|
||||
- `gateway-internal-tls` → `keystore.p12` (used by Vert.x)
|
||||
- `elasticsearch-tls` → `truststore.jks` (used by the JVM to trust the ES certificate)
|
||||
Three secrets include PKCS12 keystores automatically generated by cert-manager:
|
||||
- `api-internal-tls` → `keystore.p12` (Jetty server cert) + `truststore.p12` (CA trust for JVM)
|
||||
- `gateway-internal-tls` → `keystore.p12` (Vert.x server cert) + `truststore.p12` (CA trust for JVM)
|
||||
- `elasticsearch-tls` → `keystore.p12` + `truststore.p12` (ES server cert — keystore unused by Gravitee)
|
||||
|
||||
Each component mounts only its own internal TLS secret at `/run/secrets/tls/`, providing both
|
||||
the server keystore and the JVM truststore from a single volume.
|
||||
|
||||
Keystore password is stored in the `gravitee-jks-password` secret.
|
||||
|
||||
@@ -86,7 +89,9 @@ All secrets are created by `secrets-create.sh` before the first deployment.
|
||||
| `gravitee-admin` | `admin-password-plain`, `admin-password-bcrypt` | api (env) |
|
||||
| `gravitee-es-master-credentials` | ES `username`, `password` | api, gateway (env) |
|
||||
| `gravitee-jks-password` | keystore password | api, gateway (env) + cert-manager |
|
||||
| `gravitee-ca-trust` | `ca.crt` only — no tls.crt/key | nginx ingress proxy-ssl-secret |
|
||||
| `gravitee-ca-trust` | `ca.crt` only — no tls.crt/key | nginx ingress `proxy-ssl-secret` |
|
||||
|
||||
> `gravitee-ca-trust` is created by `secrets-create.sh` after the certificates are ready (it reads `ca.crt` from `gravitee-ca-tls`). It must contain **only** `ca.crt` — if `tls.crt`/`tls.key` were present, nginx would present them as a client certificate, triggering unintended mTLS toward backends.
|
||||
|
||||
> `gravitee-ca-trust` is a dedicated secret containing only `ca.crt`. The `proxy-ssl-secret` nginx annotation presents `tls.crt`/`tls.key` as a client certificate if they exist, which would unintentionally trigger mTLS toward backends.
|
||||
|
||||
@@ -116,10 +121,11 @@ env:
|
||||
|
||||
TLS enabled via `tls=true` in the connection URI. Server certificate validation is handled by the JVM truststore:
|
||||
```
|
||||
JAVA_OPTS: -Djavax.net.ssl.trustStore=/run/secrets/truststore/truststore.jks
|
||||
JAVA_OPTS: -Djavax.net.ssl.trustStoreType=PKCS12
|
||||
-Djavax.net.ssl.trustStore=/run/secrets/tls/truststore.p12
|
||||
-Djavax.net.ssl.trustStorePassword=${JKS_PASSWORD}
|
||||
```
|
||||
The `truststore.jks` is sourced from the `elasticsearch-tls` secret (contains the Gravitee CA).
|
||||
The `truststore.p12` is sourced from the component's own internal TLS secret (`api-internal-tls` or `gateway-internal-tls`), which cert-manager populates with the issuing CA chain.
|
||||
|
||||
MongoDB runs with `--tlsAllowConnectionsWithoutCertificates` (no client mTLS) but requires server TLS (`--tlsMode=requireTLS`).
|
||||
|
||||
@@ -173,17 +179,34 @@ annotations:
|
||||
### First install
|
||||
|
||||
```bash
|
||||
# 1. Create secrets
|
||||
./deploy.sh
|
||||
```
|
||||
|
||||
Or step by step:
|
||||
|
||||
```bash
|
||||
# 1. Create credential secrets
|
||||
./secrets-create.sh
|
||||
|
||||
# 2. Deploy PKI
|
||||
# 2. Deploy PKI and wait for certificates
|
||||
kubectl apply -f certificates.yml
|
||||
kubectl -n gravitee-apim wait --for=condition=Ready certificate --all --timeout=180s
|
||||
|
||||
# 3. Deploy backends
|
||||
# 3. Create CA trust secret for nginx (requires certificates to be ready first)
|
||||
kubectl -n gravitee-apim get secret gravitee-ca-tls -o jsonpath='{.data.ca\.crt}' | base64 -d | \
|
||||
kubectl -n gravitee-apim create secret generic gravitee-ca-trust --from-file=ca.crt=/dev/stdin \
|
||||
--dry-run=client -o yaml | kubectl apply -f -
|
||||
|
||||
# 4. Enable nginx ingress snippets
|
||||
kubectl patch configmap ingress-nginx-controller -n ingress-nginx \
|
||||
--type merge -p '{"data":{"allow-snippet-annotations":"true","annotations-risk-level":"Critical"}}'
|
||||
kubectl rollout restart deployment/ingress-nginx-controller -n ingress-nginx
|
||||
|
||||
# 5. Deploy backends
|
||||
helm upgrade --install mongodb bitnami/mongodb -n gravitee-apim -f mongo-values.yml
|
||||
helm upgrade --install elasticsearch elastic/elasticsearch -n gravitee-apim -f elastic-values.yml
|
||||
|
||||
# 4. Deploy Gravitee
|
||||
# 6. Deploy Gravitee
|
||||
helm upgrade --install graviteeio-apim graviteeio/apim -n gravitee-apim -f apim-values.yml
|
||||
```
|
||||
|
||||
@@ -198,6 +221,8 @@ helm upgrade --install elasticsearch elastic/elasticsearch -n gravitee-apim -f e
|
||||
helm upgrade --install graviteeio-apim graviteeio/apim -n gravitee-apim -f apim-values.yml
|
||||
```
|
||||
|
||||
> Secrets, certs, PVs and the `gravitee-ca-trust` secret are preserved across workload rebuilds.
|
||||
|
||||
### /etc/hosts
|
||||
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user