Skip to content

cert manager

Jump to bottom
Lakshmi Narayana Mekala edited this page Jun 27, 2023 · 1 revision

For BusinessEvents applications configured with ssl,certificate manager converts the certificates to single keystore.jks and truststore.jks before be-engine startup.

  • All Certificates are made available in path /opt/tibco/be/certstore

This feature is supported for below listed config providers

  • cmcncf Use this if you have certificates created from cncf-cert manager and stored as secrets in kubernetes
  • custom Use this type to provide custom implementation for certificate manager of your choice

Note: This feature is currently supported for linux based containers.

CMCNCF

CNCF cert manager supports aws and gcp for kubernetes

Pre-requisites

CNCF AWS Setup

  • Generate policy with the CA ARN + attach the policy to EKS cluster roles
  • Install cert-manager using helm chart / kubectl - into the kubernetes cluster
  • Install CNCF provided AWS private CA Issuer - into the kubernetes cluster
  • Install CA cluster issuer - by using yaml (CA ARN + Region) - into the kubernetes cluster
  • Create certificate using yaml which generates cert and stores into a kubernetes secret

CNCF GCP Setup

  • Create kubernetes cluster and enable workload identity
  • Create service account and add privateca pools binding policy to service account
  • Bind kubernetes service account with kubernetes cluster
  • Install cert-manager using helm chart / kubectl - into the kubernetes cluster
  • Install CNCF provided gcp-cas-issuer - into the kubernetes cluster

Procedure

  • Install CA cluster issuer - by using yaml (projectId + CA pool Id + Region) - into the kubernetes cluster
  • Create certificate using yaml which generates certificate and stores into a kubernetes secret
  • Add secret created in issue certificate step under certificates section in values.yaml file and deploy BE Helm chart

Build

To select this provider type, pass cmcncf to --config-provider flag while building the BE application image. Sample:

./build_image.sh \
-i app \
-s /home/user/tibco/installers \
-a /home/user/tibco/app \
--config-provider cmcncf \
-t fdapp:latest

Run

Following environment variables are applicable for this Config provider type:

  • CNCF_KEYSTORE_CERT - Kubernetes secret names required in server keystore(optional), comma seperated values are allowed for multiple certificates
  • CNCF_TRUSTSTORE_CERT - Kubernetes secret names required in client truststore(optional), comma seperated values are allowed for multiple certificates

Sample run:

docker run \
-e "CNCF_KEYSTORE_CERT=http-server-secret" \
-e "CNCF_TRUSTSTORE_CERT=http-client-secret" \
-p 8108:8108 --name=fdapp fdapp:latest

Custom

Implementation

To add a custom certificate provider, create a new folder under be-tools/cloud/docker/configproviders/custom/ and name it as per your choice - lets say CUSTOM_PROVIDER. Provide implementation as per below instructions:

  1. Add be-tools/cloud/docker/configproviders/custom/CUSTOM_PROVIDER/setup.sh This gets invoked by the framework during BE application docker build. Provide logic to download required packages & setup environment needed for the config provider.
  2. Add be-tools/cloud/docker/configproviders/custom/CUSTOM_PROVIDER/run.sh This gets invoked by the framework during run time. Provide logic to fetch certificates and converts them into required keystore/truststore jks files

Build

To select this provider type, pass CUSTOM_PROVIDER to --config-provider flag while building the BE application image. Sample:

./build_image.sh \
-i app \
-s /home/user/tibco/installers \
--config-provider CUSTOM_PROVIDER \
-t fdcustom:latest

Example - custom/cmazure

  • This implementation is supported for certificates that are created in Azure Key Vault with certificate type as pem

Pre-requisites

  • Azure account with key vault access
  • Create a certificate in keyvault with cert type as pem
  • Azure service principal credentials

Build

To select this provider type, pass cmazure to --config-provider flag while building the BE application image. Sample:

./build_image.sh \
-i app \
-s /home/user/tibco/installers \
-a /home/user/tibco/app \
--config-provider cmazure \
-t fdapp:latest

Run

Following environment variables are applicable for this Config provider type:

  • AZ_CLIENT_ID - Azure client id
  • AZ_CLIENT_PASSWORD - Azure app password
  • AZ_TENANT_ID - Azure tenant id
  • AZ_KV_NAME - Azure key vault name
  • AZ_KV_KEYSTORE_CERT - Azure keyvault certificate names for server keystore(optional), comma seperated values are allowed for multiple certificates
  • AZ_KV_TRUSTSTORE_CERT - Azure keyvault certificate names for client truststore(optional), comma seperated values are allowed for multiple certificates

Sample run:

docker run \
-e "AZ_CLIENT_ID=<AZ_CLIENT_ID>" \
-e "AZ_CLIENT_PASSWORD=<AZ_CLIENT_PASSWORD>" \
-e "AZ_TENANT_ID=<AZ_TENANT_ID>" \
-e "AZ_KV_NAME=<AZ_KV_NAME>" \
-e "AZ_KV_KEYSTORE_CERT=<AZ_KV_KEYSTORE_CERT>" \
-e "AZ_KV_TRUSTSTORE_CERT=<AZ_KV_TRUSTSTORE_CERT>" \
-p 8108:8108 --name=fdapp fdapp:latest

Clone this wiki locally