Red Hat SummitDieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 4. Configuring quantum secure gateways
Use the Kubernetes Gateway API with a post-quantum cryptographic algorithm to establish a secure ingress gateway.
4.1. Generating TLS certificates
Generate Transport Layer Security (TLS) certificates and create a secret to secure ingress traffic for a service mesh gateway.
Procedure
Create a directory for your certificates by running the following command:
$ mkdir certsGenerate the certificates for your gateway similar to the following examples:
Create the first certificate by running the following command:
$ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 \ -subj '/O=example Inc./CN=example.com' \ -keyout certs/example.com.key \ -out certs/example.com.crtCreate the second certificate by running the following command:
$ openssl req -out certs/httpbin.example.com.csr -newkey rsa:2048 -nodes \ -keyout certs/httpbin.example.com.key \ -subj "/CN=httpbin.example.com/O=httpbin organization"Create the third certificate by running the following command:
$ openssl x509 -req -sha256 -days 365 \ -CA certs/example.com.crt -CAkey certs/example.com.key \ -set_serial 0 -in certs/httpbin.example.com.csr \ -out certs/httpbin.example.com.crt
Create a secret containing the TLS certificate for your gateway by running the following command:
$ oc create -n istio-system secret tls httpbin-credential \ --key=certs/httpbin.example.com.key \ --cert=certs/httpbin.example.com.crt
4.2. Deploying quantum secure gateways
Configure and deploy a service mesh gateway by using the Kubernetes Gateway API to enable post-quantum cryptographic protection for ingress traffic.
Prerequisites
-
You are logged in to the OpenShift Container Platform web console 4.19+ as a user with the
cluster-adminrole. - You have installed the Red Hat OpenShift Service Mesh Operator 3.2.1+
-
You have created an
Istioresource with PQC enabled, and the Operator has deployed Istio. For more information, see "Installing service mesh with post-quantum cryptography (PQC)". You have installed the following CLI tools locally:
-
oc -
podman -
curl
-
Procedure
Deploy a gateway using the Kubernetes Gateway API by running the following command:
$ oc apply -f - <<EOF apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway metadata: name: pqc-gateway namespace: istio-system spec: gatewayClassName: istio listeners: - name: https port: 443 protocol: HTTPS tls: mode: Terminate certificateRefs: - name: httpbin-credential namespace: istio-system allowedRoutes: namespaces: from: All --- apiVersion: gateway.networking.k8s.io/v1beta1 kind: HTTPRoute metadata: name: httpbin-route namespace: default spec: parentRefs: - name: pqc-gateway namespace: istio-system hostnames: - "httpbin.example.com" rules: - matches: - path: type: PathPrefix value: / backendRefs: - name: httpbin port: 8000 EOFAdd the
istio-injection=enabledlabel to thedefaultnamespace by running the following command:$ oc label ns default istio-injection=enabledDeploy the backend server by running the following command:
$ oc apply -n default -f \ https://raw.githubusercontent.com/openshift-service-mesh/istio/master/samples/httpbin/httpbin.yaml
4.3. Verifying quantum secure gateways
Verify the post-quantum gateway configuration by testing connections with both post-quantum cryptography (PQC)-enabled and standard clients to confirm that only quantum-safe handshakes are accepted.
Procedure
Retrieve the external address based on the type of load balancer:
Retrieve the external address for your hostname-based load balancer by running the following command:
$ INGRESS_ADDR=$(oc get svc pqc-gateway-istio \ -n istio-system \ -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')Retrieve the external address for your IP-based load balancer by running the following command:
$ INGRESS_ADDR=$(oc get svc pqc-gateway-istio \ -n istio-system \ -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
Test the connection with the PQC-enabled client by running the following command:
$ podman run --rm -it \ -v ./certs/example.com.crt:/etc/certs/example.com.crt \ docker.io/openquantumsafe/curl \ curl -vk "https://$INGRESS_ADDR:443/headers" \ -H "Host: httpbin.example.com" \ --curves X25519MLKEM768 \ --cacert /etc/certs/example.com.crtThe request should succeed, and you should receive the
HTTPstatus as200.Verify that the connection fails with a standard
curlclient by running the following command:$ curl -vk "https://$INGRESS_ADDR:443/headers" \ -H "Host: httpbin.example.com" \ --cacert ./certs/example.com.crtYou will get errors similar to the following example:
* TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS alert, handshake failure (552): * TLS connect error: error:0A000410:SSL routines::ssl/tls alert handshake failure * closing connection #0 curl: (35) TLS connect error: error:0A000410:SSL routines::ssl/tls alert handshake failure
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}