Skip to content
This repository has been archived by the owner on Jul 28, 2023. It is now read-only.

Provide Secure Endpoints - Phase (implementation) #150

Open
marikaj123 opened this issue Mar 23, 2020 · 4 comments
Open

Provide Secure Endpoints - Phase (implementation) #150

marikaj123 opened this issue Mar 23, 2020 · 4 comments
Assignees
@jtmulvey @tseelbach @davco01a @kaczyns @chunlongliang-ibm
Labels
documentation-id Improvements or additions to documentation Epic security

Comments

@marikaj123
Copy link
Member

Kabanero should ensure that all networking between components can be over secure protocols.
@marikaj123
Copy link
Member Author

marikaj123 commented Apr 17, 2020
edited
Loading

Provide:
CLI service is called by CLI client

This is going to have multiple parts to get to where we need to be. Rather than have OpenShift trust the self-signed cert that Liberty uses, we're going to have Liberty use a certificate generated by OpenShift.
Configure OpenShift to generate a certificate into the landing page pod. See https://docs.openshift.com/container-platform/4.2/authentication/certificates/service-serving-certificate.html. For an example of how we did this with kabanero-eventing, see https://github.com/kabanero-io/kabanero-operator/blob/master/config/orchestrations/events/0.1/kabanero-events.yaml.
Convert the certificate to a keystore. See https://developers.redhat.com/blog/2017/11/22/dynamically-creating-java-keystores-openshift/. The certificate from step 1 should be mounted in the file system and we should use the keytool command to create a keystore from it. We will need to consider what container should build the keystore. We could use an init container as the example does, or do it right in the main container before we start Liberty. If we do it in the init container we must choose carefully what image we use, or build our own. The UBI base image (but not UBI-min) has openSSL, and the landing page image should have keytool I think but someone would need to verify that.
Update the liberty configuration for the landing page to use the keystore that was built in step 2.

@marikaj123 marikaj123 changed the title Provide Secure Endpoints - Phase 3 (implementation) Provide Secure Endpoints - Phase (implementation) Apr 20, 2020
@kaczyns
Copy link
Member

kaczyns commented Apr 20, 2020

WRT the previous comment - this work is already done. The operator is generating a service serving certificate for the landing page, and an init container is re-packaging this as a pkcs12 file that the Liberty server is using. The work was done before that comment was written, so, I'm wondering if there was a mistake. Was some other component supposed to start using a service serving certificate?

@alohr51
Copy link
Member

alohr51 commented Apr 20, 2020
edited
Loading

@kaczyns I talked with @jtmulvey and for the landing/console app this work is done in kabanero-io/kabanero-operator#178 (Marika added this issue to this epic for tracking purposes). The cert you generated from issue 178 is for the console app so others (like a browser) can trust this app, is that correct?

If the above assumption is correct, then I believe the CLI services app will have to do something similar because the console and the CLI client will both need to import a CLI Services cert so they can send a trusted/secure http request to it.

@marikaj123 marikaj123 added the documentation-id Improvements or additions to documentation label Apr 23, 2020
@marikaj123
Copy link
Member Author

Doc for Issue 70 may be needed.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jtmulvey jtmulvey

@tseelbach tseelbach

@davco01a davco01a

@kaczyns kaczyns

@chunlongliang-ibm chunlongliang-ibm

Labels
documentation-id Improvements or additions to documentation Epic security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@alohr51 @jtmulvey @tseelbach @davco01a @kaczyns @marikaj123 @chunlongliang-ibm