Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 10. Configuring encryption

Encrypt connections between clients and Data Grid pods with Red Hat OpenShift service certificates or custom TLS certificates.

10.1. Encryption with Red Hat OpenShift service certificates
Copiar o link

Data Grid Operator automatically generates TLS certificates that are signed by the Red Hat OpenShift service CA. Data Grid Operator then stores the certificates and keys in a secret so you can retrieve them and use with remote clients.

If the Red Hat OpenShift service CA is available, Data Grid Operator adds the following spec.security.endpointEncryption configuration to the Infinispan CR: 

spec:
  security:
    endpointEncryption:
      type: Service
      certServiceName: service.beta.openshift.io
      certSecretName: infinispan-cert-secret
Copy to Clipboard Toggle word wrap
Expand
FieldDescription

spec.security.endpointEncryption.certServiceName

Specifies the service that provides TLS certificates.

spec.security.endpointEncryption.certSecretName

Specifies a secret with a service certificate and key in PEM format. Defaults to <cluster_name>-cert-secret.

Note

Service certificates use the internal DNS name of the Data Grid cluster as the common name (CN), for example:

Subject: CN = example-infinispan.mynamespace.svc

For this reason, service certificates can be fully trusted only inside OpenShift. If you want to encrypt connections with clients running outside OpenShift, you should use custom TLS certificates.

Service certificates are valid for one year and are automatically replaced before they expire.

10.2. Retrieving TLS certificates
Copiar o link

Get TLS certificates from encryption secrets to create client trust stores.

Procedure

  • Retrieve tls.crt from encryption secrets as follows: 

    oc get secret infinispan-cert-secret -o jsonpath='{.data.tls\.crt}' | base64 --decode > tls.crt
    Copy to Clipboard Toggle word wrap

10.3. Disabling encryption
Copiar o link

You can disable encryption so clients do not need TLS certificates to establish connections with Data Grid.

Important

Do not disable encryption if endpoints are accessible from outside the OpenShift cluster via spec.expose.type. You should disable encryption for development environments only.

Procedure

  1. Set None as the value for the spec.security.endpointEncryption.type field in your Infinispan CR. 

    spec:
  security:
    endpointEncryption:
      type: None
    Copy to Clipboard Toggle word wrap
  2. Apply the changes.

10.4. Using custom TLS certificates
Copiar o link

Use custom PKCS12 keystore or TLS certificate/key pairs to encrypt connections between clients and Data Grid clusters.

Prerequisites

  • Create either a keystore or certificate secret.

    Note

    The secret must be unique to each Infinispan CR instance in the OpenShift cluster. When you delete the Infinispan CR, OpenShift also automatically deletes the associated secret.

Procedure

  1. Add the encryption secret to your OpenShift namespace, for example: 

    oc apply -f tls_secret.yaml
    Copy to Clipboard Toggle word wrap

  2. Specify the encryption secret with the spec.security.endpointEncryption.certSecretName field in your Infinispan CR. 

    spec:
  security:
    endpointEncryption:
      type: Secret
      certSecretName: tls-secret
    Copy to Clipboard Toggle word wrap
  3. Apply the changes.

10.4.1. Custom encryption secrets
Copiar o link

Custom encryption secrets that add keystores or certificate/key pairs to secure Data Grid connections must contain specific fields.

Keystore secrets

apiVersion: v1
kind: Secret
metadata:
  name: tls-secret
type: Opaque
stringData:
  alias: server
  password: changeme
data:
  keystore.p12:  "MIIKDgIBAzCCCdQGCSqGSIb3DQEHA..."
Copy to Clipboard Toggle word wrap

Expand
FieldDescription

stringData.alias

Specifies an alias for the keystore.

stringData.password

Specifies the keystore password.

data.keystore.p12

Adds a base64-encoded keystore.

Certificate secrets

apiVersion: v1
kind: Secret
metadata:
  name: tls-secret
type: Opaque
data:
  tls.key:  "LS0tLS1CRUdJTiBQUk ..."
  tls.crt: "LS0tLS1CRUdJTiBDRVl ..."
Copy to Clipboard Toggle word wrap

Expand
FieldDescription

data.tls.key

Adds a base64-encoded TLS key.

data.tls.crt

Adds a base64-encoded TLS certificate.

Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat