Chapter 8. Securing Data Grid Connections
Encrypt connections between clients and Data Grid nodes with Red Hat OpenShift service certificates or custom TLS certificates.
8.1. Using Red Hat OpenShift Service Certificates
Data Grid Operator automatically generates TLS certificates signed by the Red Hat OpenShift service CA. You can use these certificates to encrypt remote client connections.
Procedure
Set the following
spec.security.endpointEncryption
configuration in your Infinispan CR and then apply the changes.spec: ... security: endpointEncryption: type: service certServiceName: service.beta.openshift.io 1 certSecretName: example-rhdatagrid-cert-secret 2
Data Grid Operator stores in a secret named -cert-secret
that is prefixed with the Data Grid cluster name, for example:
metadata: name: example-rhdatagrid
The preceding cluster name results in a secret named example-rhdatagrid-cert-secret
.
8.1.1. Red Hat OpenShift Service Certificates
If the Red Hat OpenShift service CA is available, Data Grid Operator automatically generates a certificate, tls.crt
, and key, tls.key
, in PEM format.
Service certificates use the internal DNS name of the Data Grid cluster as the common name (CN), for example:
Subject: CN = example-infinispan.mynamespace.svc
For this reason, service certificates can be fully trusted only inside OpenShift. If you want to encrypt connections with clients running outside OpenShift, you should use custom TLS certificates.
Certificates are valid for one year and are automatically replaced before they expire.
8.1.2. Retrieving TLS Certificates
Get TLS certificates from encryption secrets to create client trust stores.
-
Retrieve
tls.crt
from encryption secrets as follows:
$ oc get secret example-rhdatagrid-cert-secret \ -o jsonpath='{.data.tls\.crt}' | base64 -d > tls.crt
8.2. Using Custom TLS Certificates
Use custom PKCS12 keystore or TLS certificate/key pairs to encrypt connections between clients and Data Grid clusters.
Prerequisites
Create either a keystore or certificate secret. See:
Procedure
Add the encryption secret to your OpenShift namespace, for example:
$ oc apply -f tls_secret.yaml
Specify the encryption secret with
spec.security.endpointEncryption
in your Infinispan CR and then apply the changes.spec: ... security: endpointEncryption: 1 type: secret 2 certSecretName: tls-secret 3
8.2.1. Certificate Secrets
apiVersion: v1 kind: Secret metadata: name: tls-secret type: Opaque data: tls.key: "LS0tLS1CRUdJTiBQUk ..." 1 tls.crt: "LS0tLS1CRUdJTiBDRVl ..." 2
8.2.2. Keystore Secrets
apiVersion: v1 kind: Secret metadata: name: tls-secret type: Opaque stringData: alias: server 1 password: password 2 data: keystore.p12: "MIIKDgIBAzCCCdQGCSqGSIb3DQEHA..." 3