Support for mutual TLS connection between the manager and connectors #1587
Conversation
…brik#1556) Signed-off-by: Revital Sur <eres@il.ibm.com>
Signed-off-by: Revital Sur <eres@il.ibm.com>
Signed-off-by: Revital Sur <eres@il.ibm.com>
Signed-off-by: Revital Sur <eres@il.ibm.com>
charts/fybrik/templates/katalog-connector/katalog-connector-deployment.yaml
Outdated
Show resolved
Hide resolved
| @@ -16,4 +17,10 @@ rules: | |||
| - apiGroups: ["katalog.fybrik.io"] | |||
| resources: ["assets"] | |||
| verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"] | |||
| {{- if .Values.global.tls.enabled }} | |||
There was a problem hiding this comment.
Shouldn't it be specific to katalog-connector and not according to the global default?
There was a problem hiding this comment.
I used global settings to simplify configuration. if needed we can change that...
Signed-off-by: Revital Sur <eres@il.ibm.com>
Signed-off-by: Revital Sur <eres@il.ibm.com>
Signed-off-by: Revital Sur <eres@il.ibm.com>
Signed-off-by: Revital Sur <eres@il.ibm.com>
charts/fybrik/templates/opa-connector/opa-connector-deployment.yaml
Outdated
Show resolved
Hide resolved
| - name: CACERT_SECRET_NAME | ||
| value: {{ .Values.manager.tls.certs.cacertSecretName }} | ||
| - name: CACERT_SECRET_NAMESPACE | ||
| value: {{ .Values.manager.tls.certs.cacertSecretNamespace }} |
There was a problem hiding this comment.
Where are these env vars used in the manager code?
There was a problem hiding this comment.
in the auto-generated code pkg/connectors/datacatalog/openapiclient/client.go and pkg/connectors/policymanager/openapiclient/client.go. The latest version of openapi generator tool supports OpenAPI Spec 3.0 and it does not contain TLS support so I had to insert the tls support in the generated code. (The tls support is introduced in OpenAPI Spec 3.1.x)
Signed-off-by: Revital Sur <eres@il.ibm.com>
Signed-off-by: Revital Sur <eres@il.ibm.com>
Signed-off-by: Revital Sur <eres@il.ibm.com>
Signed-off-by: Revital Sur <eres@il.ibm.com>
Signed-off-by: Revital Sur <eres@il.ibm.com>
Signed-off-by: Revital Sur <eres@il.ibm.com>
| @@ -50,6 +50,23 @@ spec: | |||
| value: {{ .Values.global.prettyLogging | quote }} | |||
| - name: LOGGING_VERBOSITY | |||
| value: {{ .Values.global.loggingVerbosity | quote }} | |||
| - name: CATALOG_CONNECTOR_USE_TLS | |||
There was a problem hiding this comment.
This value is now deduced from the service port.
charts/fybrik/templates/katalog-connector/katalog-connector-deployment.yaml
Outdated
Show resolved
Hide resolved
charts/fybrik/templates/katalog-connector/katalog-connector-deployment.yaml
Outdated
Show resolved
Hide resolved
Signed-off-by: Revital Sur <eres@il.ibm.com>
Signed-off-by: Revital Sur <eres@il.ibm.com>
cd15ad6 to
9163214
Compare
Signed-off-by: Revital Sur <eres@il.ibm.com>
There was a problem hiding this comment.
We forgot to configure the OPA server to use TLS.
see https://www.openpolicyagent.org/docs/latest/security/
Signed-off-by: Revital Sur <eres@il.ibm.com>
Signed-off-by: Revital Sur <eres@il.ibm.com>
Signed-off-by: Revital Sur <eres@il.ibm.com>
| @@ -12,7 +12,83 @@ The `NetworkPolicy` is always created. However, your Kubernetes cluster must hav | |||
|
|
|||
| ## Mutual TLS | |||
|
|
|||
| If Istio is installed in the cluster then you can use [automatic mutual TLS](https://istio.io/latest/docs/tasks/security/authentication/authn-policy/#auto-mutual-tls) to encrypt the traffic to the connectors. | |||
| ### Using Fybrik | |||
There was a problem hiding this comment.
maybe the first paragraph, should be rephrased to something like:
Kubernetes NetworkPolicies TLS/mTLS and optionally Istio can be used to protect components of the control plane. Specifically, traffic to connectors that run as part of the control plane must be secured. Follow this page to enable control plane security.
There was a problem hiding this comment.
Line 13 should be # TLS.
Line 15 -> ## Configure Fybrik to use TLS
| If Istio is installed in the cluster then you can use [automatic mutual TLS](https://istio.io/latest/docs/tasks/security/authentication/authn-policy/#auto-mutual-tls) to encrypt the traffic to the connectors. | ||
| ### Using Fybrik | ||
|
|
||
| Fybrik can be configured to have the traffic between the manager and the connectors encrypted by using TLS. In addition, mutual TLS authentication is possible too. |
There was a problem hiding this comment.
Fybrik can be configured to protect trafffic between the manager and connectors by using TLS.
|
|
||
| Fybrik can be configured to have the traffic between the manager and the connectors encrypted by using TLS. In addition, mutual TLS authentication is possible too. | ||
|
|
||
| In the TLS mode, the connectors (aka the servers) should have their certificates available to provide them to the manager (aka client) in the TLS protocol handshake process. In mutual TLS mode, both the manager and connector should have their certificates available. |
There was a problem hiding this comment.
Certificate Authorities (CA) credentials should be installed too.
| In the TLS mode, the connectors (aka the servers) should have their certificates available to provide them to the manager (aka client) in the TLS protocol handshake process. In mutual TLS mode, both the manager and connector should have their certificates available. | ||
|
|
||
|
|
||
| #### Adding TLS Secrets |
There was a problem hiding this comment.
Additing TLS Certificate as Kubernetes secrets
| name: ca-issuer | ||
| secretName: tls-manager-certs | ||
| ``` | ||
|
|
There was a problem hiding this comment.
The advantahe of using certificate manager that it automaticalliy tries to renew certificates.
| secretName: tls-manager-certs | ||
| ``` | ||
|
|
||
| #### Using a Private CA Signed Certificate |
| --from-file=cacerts.pem=./cacerts.pem | ||
| ``` | ||
|
|
||
| #### Update Values.yaml file |
| cacertSecretNamespace: "fybrik-system" | ||
| ``` | ||
|
|
||
| ### Using Istio |
| # Name of kubernetes secret namespace that holds the certificate authority (CA) | ||
| # certificates which are used by the manager to validate the connection to the connectors. | ||
| cacertSecretNamespace: "fybrik-system" | ||
| ``` |
There was a problem hiding this comment.
where is the useTLS and useMTLS flags ?
maybe better to provide a server (one of teh conectors ) as an example
Signed-off-by: Revital Sur <eres@il.ibm.com>
Signed-off-by: Revital Sur <eres@il.ibm.com>
Signed-off-by: Revital Sur <eres@il.ibm.com>
Closes #1556
This PR adds support for mutual TLS connection between the manager and connectors.
the certificates are provided in Kubernetes secrets as described in values.yaml.
The PR contains a notebook test for tls connection.