Chapter 6. Configuring encryption
Encrypt connections between clients and Data Grid pods with Red Hat OpenShift service certificates or custom TLS certificates.
6.1. Encryption with Red Hat OpenShift service certificates
Data Grid Operator automatically generates TLS certificates that are signed by the Red Hat OpenShift service CA. Data Grid Operator then stores the certificates and keys in a secret so you can retrieve them and use with remote clients.
If the Red Hat OpenShift service CA is available, Data Grid Operator adds the following spec.security.endpointEncryption
configuration to the Infinispan
CR:
spec: security: endpointEncryption: type: Service certServiceName: service.beta.openshift.io certSecretName: example-infinispan-cert-secret
Field | Description |
---|---|
| Specifies the service that provides TLS certificates. |
|
Specifies a secret with a service certificate and key in PEM format. Defaults to |
Service certificates use the internal DNS name of the Data Grid cluster as the common name (CN), for example:
Subject: CN = example-infinispan.mynamespace.svc
For this reason, service certificates can be fully trusted only inside OpenShift. If you want to encrypt connections with clients running outside OpenShift, you should use custom TLS certificates.
Service certificates are valid for one year and are automatically replaced before they expire.
6.2. Retrieving TLS certificates
Get TLS certificates from encryption secrets to create client trust stores.
Procedure
Retrieve
tls.crt
from encryption secrets as follows:$ oc get secret example-infinispan-cert-secret \ -o jsonpath='{.data.tls\.crt}' | base64 --decode > tls.crt
6.3. Disabling encryption
You can disable encryption so clients do not need TLS certificates to establish connections with Data Grid.
Do not disable encryption if endpoints are accessible from outside the OpenShift cluster via spec.expose.type
. You should disable encryption for development environments only.
Procedure
Set
None
as the value for thespec.security.endpointEncryption.type
field in yourInfinispan
CR.spec: security: endpointEncryption: type: None
- Apply the changes.
6.4. Using custom TLS certificates
Use custom PKCS12 keystore or TLS certificate/key pairs to encrypt connections between clients and Data Grid clusters.
Prerequisites
Create either a keystore or certificate secret.
NoteThe secret must be unique to each
Infinispan
CR instance in the OpenShift cluster. When you delete theInfinispan
CR, OpenShift also automatically deletes the associated secret.
Procedure
Add the encryption secret to your OpenShift namespace, for example:
$ oc apply -f tls_secret.yaml
Specify the encryption secret with the
spec.security.endpointEncryption.certSecretName
field in yourInfinispan
CR.spec: security: endpointEncryption: type: Secret certSecretName: tls-secret
- Apply the changes.
6.4.1. Custom encryption secrets
This topic describes resources for custom encryption secrets.
Keystore secrets
apiVersion: v1 kind: Secret metadata: name: tls-secret type: Opaque stringData: alias: server password: changeme data: keystore.p12: "MIIKDgIBAzCCCdQGCSqGSIb3DQEHA..."
Field | Description |
---|---|
| Specifies an alias for the keystore. |
| Specifies the keystore password. |
| Adds a base64-encoded keystore. |
Certificate secrets
apiVersion: v1 kind: Secret metadata: name: tls-secret type: Opaque data: tls.key: "LS0tLS1CRUdJTiBQUk ..." tls.crt: "LS0tLS1CRUdJTiBDRVl ..."
Field | Description |
---|---|
| Adds a base64-encoded TLS key. |
| Adds a base64-encoded TLS certificate. |