User:Giuseppe Lavagetto/Add Tls On Kubernetes
Jump to navigation Jump to search
- Patch the helm chart to add the relevant stanzas. Remember to package the chart and reindex before merging your patch
- Assuming you've guarded the TLS addition, do a noop deployment to verify you didn't change something fundamental
- Add the relevant certificate to puppet's private repo:
/srv/private/modules/secret/secrets/certificates/certificate.manifests.d/kube_services.certs.yamland add a stanza for your service. It should closely mimic the existing ones. DO NOT SET A PASSWORD. Using a password results in an encrypted key file, which envoyproxy can't use.
- run cergen
cergen -c '$SERVICE_NAME.*' --base-path /srv/private/modules/secret/secrets/certificates /srv/private/modules/secret/secrets/certificates/certificate.manifests.dto see if the right certificates would be generated; then run again adding
--generateto create the certificate
- ONLY IF YOU SET A KEY PASSWORD do the following: We need the unencrypted key, create it with
openssl ec -in modules/secret/secrets/certificates/$CERT_NAME/$CERT_NAME.key.private.pem -out modules/secret/secrets/certificates/$CERT_NAME/$CERT_NAME.key.private.unencrypted.pem. You will be required a password (that you set up in cergen)
- Commit all the generated files to git
/srv/private/hieradata/role/common/deployment_server.yamlto add it to the appropriate place there, for all environments:
profile::kubernetes::deployment_server_secrets::services: blubberoid: staging: tls: &blubberoid_certs certs: # NOTE: If you set a password, use the $CERT_NAME.key.private.unencrypted.pem file you created instead. key: "secret(certificates/$CERT_NAME/$CERT_NAME.key.private.pem)" cert: "secret(certificates/$CERT_NAME/$CERT_NAME.crt.pem)" eqiad: tls: *blubberoid_certs codfw: tls: *blubberoid_certs ...
- commit all your changes
- Run puppet on the deployment hosts, verify the data that gets written to the
- Add the rest of the configuration for tls enablement in deployment-charts under
- Happy helming!