Chapter 10. Configuring encryption

Encrypt connections between clients and Data Grid pods with Red Hat OpenShift service certificates or custom TLS certificates.

10.1. Encryption with Red Hat OpenShift service certificates

Data Grid Operator automatically generates TLS certificates that are signed by the Red Hat OpenShift service CA. Data Grid Operator then stores the certificates and keys in a secret so you can retrieve them and use with remote clients.

If the Red Hat OpenShift service CA is available, Data Grid Operator adds the following spec.security.endpointEncryption configuration to the Infinispan CR: 

spec:
  security:
    endpointEncryption:
      type: Service
      certServiceName: service.beta.openshift.io
      certSecretName: infinispan-cert-secret
FieldDescription

spec.security.endpointEncryption.certServiceName

Specifies the service that provides TLS certificates.

spec.security.endpointEncryption.certSecretName

Specifies a secret with a service certificate and key in PEM format. Defaults to <cluster_name>-cert-secret.

Note

Service certificates use the internal DNS name of the Data Grid cluster as the common name (CN), for example:

Subject: CN = example-infinispan.mynamespace.svc

For this reason, service certificates can be fully trusted only inside OpenShift. If you want to encrypt connections with clients running outside OpenShift, you should use custom TLS certificates.

Service certificates are valid for one year and are automatically replaced before they expire.

10.2. Retrieving TLS certificates

Get TLS certificates from encryption secrets to create client trust stores.

Procedure

  • Retrieve tls.crt from encryption secrets as follows: 

    oc get secret infinispan-cert-secret -o jsonpath='{.data.tls\.crt}' | base64 --decode > tls.crt

10.3. Disabling encryption

You can disable encryption so clients do not need TLS certificates to establish connections with Data Grid.

Important

Do not disable encryption if endpoints are accessible from outside the OpenShift cluster via spec.expose.type. You should disable encryption for development environments only.

Procedure

  1. Set None as the value for the spec.security.endpointEncryption.type field in your Infinispan CR. 

    spec:
  security:
    endpointEncryption:
      type: None
  2. Apply the changes.

10.4. Using custom TLS certificates

Use custom PKCS12 keystore or TLS certificate/key pairs to encrypt connections between clients and Data Grid clusters.

Prerequisites

  • Create either a keystore or certificate secret.

    Note

    The secret must be unique to each Infinispan CR instance in the OpenShift cluster. When you delete the Infinispan CR, OpenShift also automatically deletes the associated secret.

Procedure

  1. Add the encryption secret to your OpenShift namespace, for example: 

    oc apply -f tls_secret.yaml

  2. Specify the encryption secret with the spec.security.endpointEncryption.certSecretName field in your Infinispan CR. 

    spec:
  security:
    endpointEncryption:
      type: Secret
      certSecretName: tls-secret
  3. Apply the changes.

10.4.1. Custom encryption secrets

Custom encryption secrets that add keystores or certificate/key pairs to secure Data Grid connections must contain specific fields.

Keystore secrets

apiVersion: v1
kind: Secret
metadata:
  name: tls-secret
type: Opaque
stringData:
  alias: server
  password: changeme
data:
  keystore.p12:  "MIIKDgIBAzCCCdQGCSqGSIb3DQEHA..."

FieldDescription

stringData.alias

Specifies an alias for the keystore.

stringData.password

Specifies the keystore password.

data.keystore.p12

Adds a base64-encoded keystore.

Certificate secrets

apiVersion: v1
kind: Secret
metadata:
  name: tls-secret
type: Opaque
data:
  tls.key:  "LS0tLS1CRUdJTiBQUk ..."
  tls.crt: "LS0tLS1CRUdJTiBDRVl ..."

FieldDescription

data.tls.key

Adds a base64-encoded TLS key.

data.tls.crt

Adds a base64-encoded TLS certificate.