Merge pull request #13 from WorldHealthOrganization/fix/mtls-certs-co…

…nfig-for-tng-connection fix: mtls certs config for tng connection
WorldHealthOrganization · Nov 24, 2023 · 96875db · 96875db
2 parents d890889 + 079b865
commit 96875db
Show file tree

Hide file tree

Showing 3 changed files with 117 additions and 1 deletion.
diff --git a/certs/From Files to secrets to container with mounted volumes.md b/certs/From Files to secrets to container with mounted volumes.md
@@ -0,0 +1,58 @@
+### How to populate the keystores and truststores, trustanchor files in k8s cluster  
+A general approach how to secrets are mounted volumes can be found in the official [documentation](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#create-a-pod-that-has-access-to-the-secret-data-through-a-volume)  
+1.) generate the keystore, truststore trust_anchor  as described in [PlaceYourGatewayAccessKeysHere.md](PlaceYourGatewayAccessKeysHere.md)  
+2.) combine the resulting files in a single secret with  
+```(bash)
+kubectl create secret generic mtls_secret --dry-run=client -o yaml --from-file=tls_key_store.p12 --from-file=tng_tls_server_truststore.p12 --from-file=trustanchor_store.jks > mtls_secret.yaml
+kubectl create secret generic <secret-name> --dry-run=client -o yaml --from-file=<file1.p12> --from-file=<file2>.p12 --from-file=<file3.jks> > combined_tls_secret.yaml
+```
+this will result in a yaml file containing the base64 encoded file contents of that three files
+```(json)
+apiVersion: v1
+data:
+  tls_key_store.p12: MIIF3wIBAzCCBZUGDQEJFDEkHiIAYwBsAGkAZQBuAHQAYwByAGUAZABlAG4AdABpAGEAbABzMEEwMTANBglghkgBZQMEAgEFAAQgt/aPlSTVrkAIplPg++vrX...../czGzdjH1XPrutiae8EAFoECKv4c1pYD2TDAgIIAA==
+  trustanchor_store.jks: /u3+7QAAAAIAAAABAAAAAgAadG5nLXRscy1zZXJ2ZXItY2VydGlmaWNhdGUAAAGLVC9h5gAFWC41MDkAAAUaMIIFFjCCAv6gAwIBAgIRAJErCEr
+  tng_tls_server_truststore.p12: /u3+7QAAAAIAAAABAAAAAgAXoB1.....lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4avAuvDsz
+kind: Secret
+metadata:
+  creationTimestamp: null
+  name: mtls_secret
+```
+This file then can be temporarily included in your helm charts or directly applied to your cluster with
+```(shell)
+kubectl apply -f mtls_secret.yaml # will apply the secret to current context
+```  
+**Note that your secrets with keystores/truststores contain sensible data. Keep them in save place**
+
+In the deployment of your helm chart include the the secret as volumes in the template spec
+````(helm)
+spec:
+  template:
+    spec:
+      volumes:
+        - name: secrets-jks
+          secret:
+            secretName: mtls-secret
+            items:
+              - key: tls_key_store.p12
+                path: tls_key_store.p12
+              - key: trustanchor_store.jks
+                path: trustanchor_store.jks
+              - key: tng_tls_server_truststore.p12
+                path: tng_tls_server_truststore.p12
+````
+The items array is optional as long as the keynames reflect the filenames and all keys in the secret
+shall be mapped to files
+
+The according volume mounts are defined in the container section
+````(helm)
+spec:
+  templates:
+    spec:
+      containers:
+        volumeMounts:
+          - name: secrets-jks
+            mountPath: /certs
+            readOnly: true
+````
+
diff --git a/k8s/helm/tngkds/charts/tngkds-backend/templates/deployment.yaml b/k8s/helm/tngkds/charts/tngkds-backend/templates/deployment.yaml
@@ -57,6 +57,32 @@ spec:
                 secretKeyRef:
                   name: {{ include "tngkds-backend.fullname" . }}-secret
                   key: pgPassword
+            - name: DGC_GATEWAY_CONNECTOR_TLS_TRUST_STORE_PATH
+              value: {{ .Values.gateway.connector.tls_trust_store.path }}
+            - name: DGC_GATEWAY_CONNECTOR_TLS_TRUST_STORE_PASSWORD
+              value: {{ .Values.gateway.connector.tls_trust_store.password }}
+            - name: DGC_GATEWAY_CONNECTOR_TLS_TRUST_STORE_ALIAS
+              value: {{ .Values.gateway.connector.tls_trust_store.alias }}
+            - name: DGC_GATEWAY_CONNECTOR_TLS_KEY_STORE_PATH
+              value: {{ .Values.gateway.connector.tls_key_store.path }}
+            - name: DGC_GATEWAY_CONNECTOR_TLS_KEY_STORE_PASSWORD
+              value: {{ .Values.gateway.connector.tls_key_store.password }}
+            - name: DGC_GATEWAY_CONNECTOR_TLS_KEY_STORE_ALIAS
+              value: {{.Values.gateway.connector.tls_key_store.alias }}
+            - name: DGC_GATEWAY_CONNECTOR_TRUST_ANCHOR_PATH
+              value: {{ .Values.gateway.connector.trust_anchor.path }}
+            - name: DGC_GATEWAY_CONNECTOR_TRUST_ANCHOR_PASSWORD
+              value: {{ .Values.gateway.connector.trust_anchor.password }}
+            - name: DGC_GATEWAY_CONNECTOR_TRUST_ANCHOR_ALIAS
+              value: {{ .Values.gateway.connector.trust_anchor.alias }}
+            - name: DGC_GATEWAY_CONNECTOR_ENABLED
+              value: {{ .Values.gateway.connector.enabled |quote }}
+            - name: DGC_GATEWAY_CONNECTOR_ENDPOINT
+              value: {{ .Values.gateway.connector.endpoint }}
+          volumeMounts:
+            - name: secrets-jks
+              mountPath: /certs
+              readOnly: true
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
       {{- with .Values.nodeSelector }}
@@ -71,3 +97,14 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      volumes:
+        - name: secrets-jks
+          secret:
+            secretName: mtls-secret
+            items:
+              - key: tls_key_store.p12
+                path: tls_key_store.p12
+              - key: trustanchor_store.jks
+                path: trustanchor_store.jks
+              - key: tng_tls_server_truststore.p12
+                path: tng_tls_server_truststore.p12
diff --git a/k8s/helm/tngkds/charts/tngkds-backend/values.yaml b/k8s/helm/tngkds/charts/tngkds-backend/values.yaml
@@ -10,7 +10,7 @@ image:
   repository: ghcr.io/worldhealthorganization/tng-key-distribution/tng-key-distribution
   pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
-  tag: "0.0.1-2840d04"
+  tag: "0.0.1-d890889"  #"0.0.1-2840d04"
 
 #kubectl -n <k8s-namespace> create secret docker-registry <k8s-docker-registry-secret-name> --docker-server=ghcr.io --docker-username=<github-username> --docker-password=<github-personal-access-token>  --docker-email=<email-address> -o yaml
 #kubectl -n kds create secret docker-registry tng-distribution-pull-secret --docker-server=ghcr.io --docker-username=anonymous --docker-password=<PAT>  --docker-email=anonymous@example.com -o yaml
@@ -110,3 +110,24 @@ spring:
 # Server port
 server:
   port: 8080
+
+
+gateway:
+  connector:
+    enabled: true
+    endpoint: <endpoint of the tng>
+    proxy:
+      enabled: false
+    max-cache-age: 300
+    tls_trust_store: #CA of TNG Gateway of TLS certificate
+      alias: <alias of the cert in truststore>
+      password: <password to open truststore>
+      path: <full pathname of the truststore file>
+    tls_key_store: # client cert key pair of participant
+      alias: <alias of the cert in keystore>
+      password: <password to open keystore>
+      path: <full path of the keystore file>
+    trust_anchor: # TA pem file of TNG that was used for signing
+      alias: <alias of the trust_anchor chert>
+      password: <password to open trust_anchor_store>
+      path: <full path of the trust_anchor_store>