红帽全球峰会此内容没有您所选择的语言版本。
Chapter 8. Securing Data Grid Connections
Encrypt connections between clients and Data Grid nodes with Red Hat OpenShift service certificates or custom TLS certificates.
8.1. Using Red Hat OpenShift Service Certificates
Data Grid Operator automatically generates TLS certificates signed by the Red Hat OpenShift service CA. You can use these certificates to encrypt remote client connections.
Procedure
Set the following
spec.security.endpointEncryptionconfiguration in your Infinispan CR and then apply the changes.Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Data Grid Operator stores in a secret named -cert-secret that is prefixed with the Data Grid cluster name, for example:
metadata: name: example-rhdatagrid
metadata:
name: example-rhdatagrid
The preceding cluster name results in a secret named example-rhdatagrid-cert-secret.
8.1.1. Red Hat OpenShift Service Certificates
If the Red Hat OpenShift service CA is available, Data Grid Operator automatically generates a certificate, tls.crt, and key, tls.key, in PEM format.
Service certificates use the internal DNS name of the Data Grid cluster as the common name (CN), for example:
Subject: CN = example-infinispan.mynamespace.svc
For this reason, service certificates can be fully trusted only inside OpenShift. If you want to encrypt connections with clients running outside OpenShift, you should use custom TLS certificates.
Certificates are valid for one year and are automatically replaced before they expire.
8.1.2. Retrieving TLS Certificates
Get TLS certificates from encryption secrets to create client trust stores.
-
Retrieve
tls.crtfrom encryption secrets as follows:
oc get secret example-rhdatagrid-cert-secret \
-o jsonpath='{.data.tls\.crt}' | base64 -d > tls.crt
$ oc get secret example-rhdatagrid-cert-secret \
-o jsonpath='{.data.tls\.crt}' | base64 -d > tls.crt8.2. Using Custom TLS Certificates
Use custom PKCS12 keystore or TLS certificate/key pairs to encrypt connections between clients and Data Grid clusters.
Prerequisites
Create either a keystore or certificate secret. See:
Procedure
Add the encryption secret to your OpenShift namespace, for example:
oc apply -f tls_secret.yaml
$ oc apply -f tls_secret.yamlCopy to Clipboard Copied! Toggle word wrap Toggle overflow Specify the encryption secret with
spec.security.endpointEncryptionin your Infinispan CR and then apply the changes.Copy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}