From ae1387415a16eaf2a1791107f0960139f2edee41 Mon Sep 17 00:00:00 2001 From: an1l4 <1995anila@gmail.com> Date: Mon, 20 May 2024 08:56:55 +0530 Subject: [PATCH 1/5] mTLS-readme added with configuration steps --- README.md | 18 +++++++ docs/CONFIGURATION_MTLS.md | 97 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 115 insertions(+) create mode 100644 docs/CONFIGURATION_MTLS.md diff --git a/README.md b/README.md index 4c2605cc..42436fce 100644 --- a/README.md +++ b/README.md @@ -223,6 +223,24 @@ kubectl --namespace kubviz port-forward $POD_NAME 3000 3. Access "localhost:3000" in your web browser, where you'll be prompted to enter your credentials. Utilize the username "admin" and the password obtained from step 1 to proceed. +#### mTLS - mutual TLS Feature + +Mutual TLS (mTLS) is an extension of standard Transport Layer Security (TLS) that enhances security by requiring both the client and server to authenticate and verify each other's identities during the SSL/TLS handshake process. This mutual authentication helps ensure that both parties are who they claim to be, providing a higher level of security for sensitive data exchanges. + +In our kubviz setup, we use mTLS for secure communication with the NATS server. Both the agent and the client connect to the NATS server using mTLS. The agent sends data to the NATS server securely, and the client also uses mTLS to receive data from the NATS server. + +#### Why Use mTLS? + +- **Enhanced Security:** mTLS ensures that both the client and server are authenticated, mitigating the risk of man-in-the-middle attacks. + +- **Data Integrity:** By verifying identities, mTLS ensures that data is exchanged between trusted entities only. + +- **Regulatory Compliance:** For many industries, mTLS is a requirement for compliance with regulations that mandate secure communication. + +#### Configuring mTLS + +To enable mTLS in your application, [follow these steps:](docs/CONFIGURATION_MTLS.md) + #### TTL - Time-To-Live Feature We've implemented a Time-To-Live (TTL) feature to streamline the management of data within your ClickHouse tables. With TTL, historical data can be automatically relocated to alternative storage or purged to optimize storage space. This feature is particularly valuable for scenarios like time-series data or logs where older data gradually loses its relevance over time. diff --git a/docs/CONFIGURATION_MTLS.md b/docs/CONFIGURATION_MTLS.md new file mode 100644 index 00000000..76f24567 --- /dev/null +++ b/docs/CONFIGURATION_MTLS.md @@ -0,0 +1,97 @@ +# Configuring mTLS: Guidelines and Instructions + +- **Step-1:** Create a ca-config.cnf file + +[ req ] +default_bits = 2048 +distinguished_name = req_distinguished_name +req_extensions = req_ext +x509_extensions = v3_ca +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = IN +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Tamil Nadu +localityName = Locality Name (eg, city) +localityName_default = Chennai +organizationName = Organization Name (eg, company) +organizationName_default = Kubviz +commonName = Common Name (e.g. server FQDN or YOUR name) +commonName_max = 64 +[ req_ext ] +subjectAltName = @alt_names +[ v3_ca ] +subjectAltName = @alt_names +[ alt_names ] +DNS.1 = kubviz-client-nats +DNS.2 = kubviz-client +DNS.3 = kubviz-agent + +- **Step-2:** Create ca-cert.pem + +openssl genrsa -out ca-key.pem 4096 +openssl req -new -x509 -days 365 -key ca-key.pem -out ca-cert.pem -subj "/C=IN/ST=Tamil Nadu/L=Chennai/O=Kubviz/CN=KubvizCA" + +- **Step-3:** Create the Server Certificate + +openssl genrsa -out server-key.pem 4096 +openssl req -new -key server-key.pem -out server-csr.pem -subj "/C=IN/ST=Tamil Nadu/L=Chennai/O=Kubviz/CN=kubviz-client-nats" -config ca-config.cnf -extensions req_ext +openssl x509 -req -days 365 -in server-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem -extfile ca-config.cnf -extensions v3_ca + +- **Step-4:** Create the Client Certificate + +openssl genrsa -out client-key.pem 4096 +openssl req -new -key client-key.pem -out client-csr.pem -subj "/C=IN/ST=Tamil Nadu/L=Chennai/O=Kubviz/CN=kubviz-client" -config ca-congig.cnf -extensions req_ext +openssl x509 -req -days 365 -in client-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial 02 -out client-cert.pem -extfile ca-config.cnf -extensions v3_ca + +- **step-5:** Create the agent certificate + +openssl genrsa -out agent-key.pem 4096 +openssl req -new -key agent-key.pem -out agent-csr.pem -subj "/C=IN/ST=Tamil Nadu/L=Chennai/O=Kubviz/CN=kubviz-agent" -config ca-config.cnf -extensions req_ext +openssl x509 -req -days 365 -in agent-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial 02 -out agent-cert.pem -extfile ca-config.cnf -extensions v3_ca + +- **step-6:** Create secrets + +kubectl create secret generic kubviz-client-ca-cert --from-file=client-cert.pem --from-file=client-key.pem --from-file=ca-cert.pem -n kubviz + +kubectl create secret generic kubviz-agent-ca-cert --from-file=agent-cert.pem --from-file=agent-key.pem --from-file=ca-cert.pem -n kubviz + +kubectl create secret generic kubviz-server-ca-cert --from-file=server-cert.pem --from-file=server-key.pem --from-file=ca-cert.pem -n kubviz + +#### if you want to enable mtls add the secret name in client/values.yaml also mtls.enabled:true + +- **Step-7:** Add the secret name in client/value.yaml + +Below is the nats configuration + +```yaml +tls: + secret: + name: kubviz-server-ca-cert + ca: "ca-cert.pem" + cert: "server-cert.pem" + key: "server-key.pem" + verify: true + verify_and_map: true +... +``` + +- **Step-8:** Add the secret name in client/value.yaml + +```yaml +mtls: + enabled: true + secret: + name: kubviz-client-ca-cert +... +``` + +- **Step-9:** Add the secret name in agent/value.yaml + +```yaml +mtls: + enabled: true + secret: + name: kubviz-agent-ca-cert +... +``` From bcdeda6943f27e4146b802d1741804b8c18dac24 Mon Sep 17 00:00:00 2001 From: an1l4 <1995anila@gmail.com> Date: Mon, 20 May 2024 09:07:51 +0530 Subject: [PATCH 2/5] mTLS-readme added with configuration steps --- docs/CONFIGURATION_MTLS.md | 77 +++++++++++++++++++++++++++++++++----- 1 file changed, 67 insertions(+), 10 deletions(-) diff --git a/docs/CONFIGURATION_MTLS.md b/docs/CONFIGURATION_MTLS.md index 76f24567..904f1264 100644 --- a/docs/CONFIGURATION_MTLS.md +++ b/docs/CONFIGURATION_MTLS.md @@ -1,66 +1,123 @@ # Configuring mTLS: Guidelines and Instructions -- **Step-1:** Create a ca-config.cnf file +**Step-1:** Create a ca-config.cnf file [ req ] + default_bits = 2048 + distinguished_name = req_distinguished_name + req_extensions = req_ext + x509_extensions = v3_ca + [ req_distinguished_name ] + countryName = Country Name (2 letter code) + countryName_default = IN + stateOrProvinceName = State or Province Name (full name) + stateOrProvinceName_default = Tamil Nadu + localityName = Locality Name (eg, city) + localityName_default = Chennai + organizationName = Organization Name (eg, company) + organizationName_default = Kubviz + commonName = Common Name (e.g. server FQDN or YOUR name) + commonName_max = 64 + [ req_ext ] + subjectAltName = @alt_names + [ v3_ca ] + subjectAltName = @alt_names + [ alt_names ] + DNS.1 = kubviz-client-nats + DNS.2 = kubviz-client + DNS.3 = kubviz-agent -- **Step-2:** Create ca-cert.pem +**Step-2:** Create ca-cert.pem +```bash openssl genrsa -out ca-key.pem 4096 +``` + +```bash openssl req -new -x509 -days 365 -key ca-key.pem -out ca-cert.pem -subj "/C=IN/ST=Tamil Nadu/L=Chennai/O=Kubviz/CN=KubvizCA" +``` -- **Step-3:** Create the Server Certificate +**Step-3:** Create the Server Certificate +```bash openssl genrsa -out server-key.pem 4096 +``` + +```bash openssl req -new -key server-key.pem -out server-csr.pem -subj "/C=IN/ST=Tamil Nadu/L=Chennai/O=Kubviz/CN=kubviz-client-nats" -config ca-config.cnf -extensions req_ext +``` + +```bash openssl x509 -req -days 365 -in server-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem -extfile ca-config.cnf -extensions v3_ca +``` -- **Step-4:** Create the Client Certificate +**Step-4:** Create the Client Certificate +```bash openssl genrsa -out client-key.pem 4096 +``` + +```bash openssl req -new -key client-key.pem -out client-csr.pem -subj "/C=IN/ST=Tamil Nadu/L=Chennai/O=Kubviz/CN=kubviz-client" -config ca-congig.cnf -extensions req_ext +``` + +```bash openssl x509 -req -days 365 -in client-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial 02 -out client-cert.pem -extfile ca-config.cnf -extensions v3_ca +``` -- **step-5:** Create the agent certificate +**step-5:** Create the agent certificate +```bash openssl genrsa -out agent-key.pem 4096 +``` + +```bash openssl req -new -key agent-key.pem -out agent-csr.pem -subj "/C=IN/ST=Tamil Nadu/L=Chennai/O=Kubviz/CN=kubviz-agent" -config ca-config.cnf -extensions req_ext -openssl x509 -req -days 365 -in agent-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial 02 -out agent-cert.pem -extfile ca-config.cnf -extensions v3_ca +``` -- **step-6:** Create secrets +```bash +openssl x509 -req -days 365 -in agent-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial 02 -out agent-cert.pem -extfile ca-config.cnf -extensions v3_ca +``` +**step-6:** Create secrets +```bash kubectl create secret generic kubviz-client-ca-cert --from-file=client-cert.pem --from-file=client-key.pem --from-file=ca-cert.pem -n kubviz +``` +```bash kubectl create secret generic kubviz-agent-ca-cert --from-file=agent-cert.pem --from-file=agent-key.pem --from-file=ca-cert.pem -n kubviz +``` +```bash kubectl create secret generic kubviz-server-ca-cert --from-file=server-cert.pem --from-file=server-key.pem --from-file=ca-cert.pem -n kubviz +``` #### if you want to enable mtls add the secret name in client/values.yaml also mtls.enabled:true -- **Step-7:** Add the secret name in client/value.yaml +**Step-7:** Add the secret name in client/value.yaml Below is the nats configuration @@ -76,7 +133,7 @@ tls: ... ``` -- **Step-8:** Add the secret name in client/value.yaml +**Step-8:** Add the secret name in client/value.yaml ```yaml mtls: @@ -86,7 +143,7 @@ mtls: ... ``` -- **Step-9:** Add the secret name in agent/value.yaml +**Step-9:** Add the secret name in agent/value.yaml ```yaml mtls: From 79f04b026cb933ee232fc18c03803c335d15e9a1 Mon Sep 17 00:00:00 2001 From: an1l4 <1995anila@gmail.com> Date: Mon, 20 May 2024 09:16:46 +0530 Subject: [PATCH 3/5] mTLS-readme added with configuration steps --- docs/CONFIGURATION_MTLS.md | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/docs/CONFIGURATION_MTLS.md b/docs/CONFIGURATION_MTLS.md index 904f1264..81b0dc91 100644 --- a/docs/CONFIGURATION_MTLS.md +++ b/docs/CONFIGURATION_MTLS.md @@ -1,7 +1,8 @@ # Configuring mTLS: Guidelines and Instructions -**Step-1:** Create a ca-config.cnf file +**Step-1: Create a ca-config.cnf file** +```$xslt [ req ] default_bits = 2048 @@ -49,8 +50,9 @@ DNS.1 = kubviz-client-nats DNS.2 = kubviz-client DNS.3 = kubviz-agent +``` -**Step-2:** Create ca-cert.pem +**Step-2: Create ca-cert.pem** ```bash openssl genrsa -out ca-key.pem 4096 @@ -60,7 +62,7 @@ openssl genrsa -out ca-key.pem 4096 openssl req -new -x509 -days 365 -key ca-key.pem -out ca-cert.pem -subj "/C=IN/ST=Tamil Nadu/L=Chennai/O=Kubviz/CN=KubvizCA" ``` -**Step-3:** Create the Server Certificate +**Step-3: Create the Server Certificate** ```bash openssl genrsa -out server-key.pem 4096 @@ -74,7 +76,7 @@ openssl req -new -key server-key.pem -out server-csr.pem -subj "/C=IN/ST=Tamil N openssl x509 -req -days 365 -in server-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem -extfile ca-config.cnf -extensions v3_ca ``` -**Step-4:** Create the Client Certificate +**Step-4: Create the Client Certificate** ```bash openssl genrsa -out client-key.pem 4096 @@ -88,7 +90,7 @@ openssl req -new -key client-key.pem -out client-csr.pem -subj "/C=IN/ST=Tamil N openssl x509 -req -days 365 -in client-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial 02 -out client-cert.pem -extfile ca-config.cnf -extensions v3_ca ``` -**step-5:** Create the agent certificate +**step-5: Create the agent certificate** ```bash openssl genrsa -out agent-key.pem 4096 @@ -101,7 +103,7 @@ openssl req -new -key agent-key.pem -out agent-csr.pem -subj "/C=IN/ST=Tamil Nad ```bash openssl x509 -req -days 365 -in agent-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial 02 -out agent-cert.pem -extfile ca-config.cnf -extensions v3_ca ``` -**step-6:** Create secrets +**step-6: Create secrets** ```bash kubectl create secret generic kubviz-client-ca-cert --from-file=client-cert.pem --from-file=client-key.pem --from-file=ca-cert.pem -n kubviz @@ -115,9 +117,9 @@ kubectl create secret generic kubviz-agent-ca-cert --from-file=agent-cert.pem -- kubectl create secret generic kubviz-server-ca-cert --from-file=server-cert.pem --from-file=server-key.pem --from-file=ca-cert.pem -n kubviz ``` -#### if you want to enable mtls add the secret name in client/values.yaml also mtls.enabled:true +#### if you want to enable mtls add the secret name in client/values.yaml also mtls.enabled: true -**Step-7:** Add the secret name in client/value.yaml +**Step-7: Add the secret name in client/value.yaml** Below is the nats configuration @@ -133,7 +135,7 @@ tls: ... ``` -**Step-8:** Add the secret name in client/value.yaml +**Step-8: Add the secret name in client/value.yaml** ```yaml mtls: @@ -143,7 +145,7 @@ mtls: ... ``` -**Step-9:** Add the secret name in agent/value.yaml +**Step-9: Add the secret name in agent/value.yaml** ```yaml mtls: From 1fb516b63b0625c1a555ea957bf487c9c11140b8 Mon Sep 17 00:00:00 2001 From: an1l4 <1995anila@gmail.com> Date: Mon, 20 May 2024 09:18:08 +0530 Subject: [PATCH 4/5] mTLS-readme added with configuration steps --- docs/CONFIGURATION_MTLS.md | 23 ----------------------- 1 file changed, 23 deletions(-) diff --git a/docs/CONFIGURATION_MTLS.md b/docs/CONFIGURATION_MTLS.md index 81b0dc91..e1a34875 100644 --- a/docs/CONFIGURATION_MTLS.md +++ b/docs/CONFIGURATION_MTLS.md @@ -4,51 +4,28 @@ ```$xslt [ req ] - default_bits = 2048 - distinguished_name = req_distinguished_name - req_extensions = req_ext - x509_extensions = v3_ca - [ req_distinguished_name ] - countryName = Country Name (2 letter code) - countryName_default = IN - stateOrProvinceName = State or Province Name (full name) - stateOrProvinceName_default = Tamil Nadu - localityName = Locality Name (eg, city) - localityName_default = Chennai - organizationName = Organization Name (eg, company) - organizationName_default = Kubviz - commonName = Common Name (e.g. server FQDN or YOUR name) - commonName_max = 64 - [ req_ext ] - subjectAltName = @alt_names - [ v3_ca ] - subjectAltName = @alt_names - [ alt_names ] - DNS.1 = kubviz-client-nats - DNS.2 = kubviz-client - DNS.3 = kubviz-agent ``` From 4418c43fa5e0624dc5cb7dcb53cef7722a69c5f9 Mon Sep 17 00:00:00 2001 From: an1l4 <1995anila@gmail.com> Date: Mon, 20 May 2024 11:24:36 +0530 Subject: [PATCH 5/5] mTLS-readme added with configuration steps --- README.md | 2 +- docs/CONFIGURATION_MTLS.md | 14 +++++++------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 42436fce..1902e242 100644 --- a/README.md +++ b/README.md @@ -239,7 +239,7 @@ In our kubviz setup, we use mTLS for secure communication with the NATS server. #### Configuring mTLS -To enable mTLS in your application, [follow these steps:](docs/CONFIGURATION_MTLS.md) +To enable mTLS in your application for agent-to-NATS communication, [follow these steps:](docs/CONFIGURATION_MTLS.md) #### TTL - Time-To-Live Feature diff --git a/docs/CONFIGURATION_MTLS.md b/docs/CONFIGURATION_MTLS.md index e1a34875..7eccac23 100644 --- a/docs/CONFIGURATION_MTLS.md +++ b/docs/CONFIGURATION_MTLS.md @@ -10,11 +10,11 @@ req_extensions = req_ext x509_extensions = v3_ca [ req_distinguished_name ] countryName = Country Name (2 letter code) -countryName_default = IN +countryName_default = US stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Tamil Nadu +stateOrProvinceName_default = New York localityName = Locality Name (eg, city) -localityName_default = Chennai +localityName_default = Albany organizationName = Organization Name (eg, company) organizationName_default = Kubviz commonName = Common Name (e.g. server FQDN or YOUR name) @@ -36,7 +36,7 @@ openssl genrsa -out ca-key.pem 4096 ``` ```bash -openssl req -new -x509 -days 365 -key ca-key.pem -out ca-cert.pem -subj "/C=IN/ST=Tamil Nadu/L=Chennai/O=Kubviz/CN=KubvizCA" +openssl req -new -x509 -days 365 -key ca-key.pem -out ca-cert.pem -subj "/C=US/ST=New York/L=Albany/O=Kubviz/CN=KubvizCA" ``` **Step-3: Create the Server Certificate** @@ -46,7 +46,7 @@ openssl genrsa -out server-key.pem 4096 ``` ```bash -openssl req -new -key server-key.pem -out server-csr.pem -subj "/C=IN/ST=Tamil Nadu/L=Chennai/O=Kubviz/CN=kubviz-client-nats" -config ca-config.cnf -extensions req_ext +openssl req -new -key server-key.pem -out server-csr.pem -subj "/C=US/ST=New York/L=Albany/O=Kubviz/CN=kubviz-client-nats" -config ca-config.cnf -extensions req_ext ``` ```bash @@ -60,7 +60,7 @@ openssl genrsa -out client-key.pem 4096 ``` ```bash -openssl req -new -key client-key.pem -out client-csr.pem -subj "/C=IN/ST=Tamil Nadu/L=Chennai/O=Kubviz/CN=kubviz-client" -config ca-congig.cnf -extensions req_ext +openssl req -new -key client-key.pem -out client-csr.pem -subj "/C=US/ST=New York/L=Albany/O=Kubviz/CN=kubviz-client" -config ca-congig.cnf -extensions req_ext ``` ```bash @@ -74,7 +74,7 @@ openssl genrsa -out agent-key.pem 4096 ``` ```bash -openssl req -new -key agent-key.pem -out agent-csr.pem -subj "/C=IN/ST=Tamil Nadu/L=Chennai/O=Kubviz/CN=kubviz-agent" -config ca-config.cnf -extensions req_ext +openssl req -new -key agent-key.pem -out agent-csr.pem -subj "/C=US/ST=New York/L=Albany/O=Kubviz/CN=kubviz-agent" -config ca-config.cnf -extensions req_ext ``` ```bash