User:Giuseppe Lavagetto/Add Tls On Kubernetes

From Wikitech
Jump to navigation Jump to search
  • Patch the helm chart to add the relevant stanzas. Remember to package the chart and reindex before merging your patch
  • Assuming you've guarded the TLS addition, do a noop deployment to verify you didn't change something fundamental
  • Add the relevant certificate to puppet's private repo:
    • edit /srv/private/modules/secret/secrets/certificates/certificate.manifests.d/kube_services.certs.yaml and add a stanza for your service. It should closely mimic the existing ones. DO NOT SET A PASSWORD. Using a password results in an encrypted key file, which envoyproxy can't use.
    • run cergen cergen -c '$SERVICE_NAME.*' --base-path /srv/private/modules/secret/secrets/certificates /srv/private/modules/secret/secrets/certificates/certificate.manifests.d to see if the right certificates would be generated; then run again adding --generate to create the certificate
    • ONLY IF YOU SET A KEY PASSWORD do the following: We need the unencrypted key, create it with openssl ec -in modules/secret/secrets/certificates/$CERT_NAME/$CERT_NAME.key.private.pem -out modules/secret/secrets/certificates/$CERT_NAME/$CERT_NAME.key.private.unencrypted.pem. You will be required a password (that you set up in cergen)
    • Commit all the generated files to git
    • edit /srv/private/hieradata/role/common/deployment_server.yaml to add it to the appropriate place there, for all environments:
profile::kubernetes::deployment_server_secrets::services:
  blubberoid:
    staging:
      tls: &blubberoid_certs
        certs:
          # NOTE: If you set a password, use the $CERT_NAME.key.private.unencrypted.pem file you created instead.
          key: "secret(certificates/$CERT_NAME/$CERT_NAME.key.private.pem)"
          cert: "secret(certificates/$CERT_NAME/$CERT_NAME.crt.pem)"
    eqiad: 
      tls: *blubberoid_certs
    codfw: 
      tls: *blubberoid_certs
...


    • commit all your changes
  • Run puppet on the deployment hosts, verify the data that gets written to the private/secrets.yaml file within helmfile.d/services/{staging,eqiad,codfw}/$SERVICE_NAME/private/secrets.yaml is correct
  • Add the rest of the configuration for tls enablement in deployment-charts under helmfile.d/services/{staging,eqiad,codfw}/$SERVICE_NAME/values.yaml
  • Happy helming!