Self-signed certificates

Using your own self-signed certifates.

When running an edge deployment for Kerberos Factory, Kerberos Vault, Kerberos Hub and/or your storage providers, you can enhance security by bringing your own self-signed certificates. Those certificates will be consumed to create a secure connection between the different applications, and for example encrypt your data while it’s being send or retrieved from your storage provider (Minio, Ceph).

When using self-signed certificates, the different deployments needs to be aware of those certificates and more importantly trust them. To achieve this trust, traditionally you would benefit from services like Certmanager.io and LetsEncrypt which act as a trusted CA (Certification Authority). However when self-signing you will need to make your deployments aware as there is probably no public CA available.

The issue

When using self-signed certificates you might experience the following errors.

"level":"info","msg":"Upload Failed: Post 
\"https://vault.xxx.xxx/storage\": x509: certificate signed by unknown 
authority","time":"2022-01-06T14:17:07Z"}

To overcome this you will need to inject a custom ca-certificates.crt holding your self-signed certificate in the /etc/ssl/certs directory. By injecting this in your Kerberos Factory, Kerberos Vault, Kerberos Hub deployments you will be able to create a secured and trusted connection over SSL with all relevant services.

Injecting a ca-certificates.crt

Start by collecting all certificates you want to have trusted, and append them to an existing ca-certificates.crt file. Once done, create a configmap in your cluster, holding that information.

kubectl create configmap rootcerts -n kerberos-vault --from-file=./ca-certificates.crt

By creating the configmap, the file contents of your ca-certificates.crt will be loaded into a specific namespace in your cluster, and you will be able to attach it to a specific deployment.

Kerberos Agent

To inject your certificates file into your Kerberos Agents, you’ll need to make Kerberos Factory aware of the configmap rootcerts that holds the certificate file. Go to your relevant deployment.yaml file and specify the name of your configmap in CERTIFICATES_CONFIGMAP variable.

- name: CERTIFICATES_CONFIGMAP
  value: "rootcerts" 

This will include and override the existing ca-certificates.crt file and include your self-signed certificates in the Kerberos Agent deployments. Once done, your Kerberos Agents will benefit from a secure self-signed SSL connection.

Kerberos Factory / Vault

As Kerberos Factory and Kerberos Vault are specified as a single deployment file, you can inject the configmap directly in the deployment.yaml file. Go and uncomment the volumes and volumeMounts sections. This will copy the configmap into your Kerberos Factory and/or Kerberos Vault deployments.

# Injecting the ca-certificates inside the container.
volumeMounts:
- name: rootcerts
  mountPath: /etc/ssl/certs/ca-certificates.crt
  subPath: ca-certificates.crt

Also uncomment the relevant volume definition.

volumes:
- name: rootcerts
  configMap:
    name: rootcerts

Edit this page on GitHub