Using External Certificates with CTE for Kubernetes
You can use External Certificates for communication between CTE for Kubernetes and CipherTrust Manager.
Note
Install the external certificate before registering CTE for Kubernetes with CipherTrust Manager.
Overview
CipherTrust Transparent Encryption can now use an external certificate, available at a user-defined path, to communicate with CipherTrust Manager.
Prerequisites
The external certificate must be:
-
On the file system
-
In PEM format
A key pair must already exist for the client:
-
Must have Encryption type of either:
-
sha256WithRSAEncryption
-
ecdsa-with-SHA384
-
-
Must be Encrypted with a pass phrase
Initial setup
-
Obtain your external CA certificate.
-
Create a certificate using the external CA certificate and key.
CipherTrust Manager Setup
To setup CipherTrust Manager to communicate through an external certificate:
-
Import the CA certificate into the CipherTrust Manager, click CA > External > Add External CA.
-
In the Add External CA dialog, copy and paste the
<ca_certificate_name>.pem
file content from the UI page and provide a user-friendly name.For more information, see Using an Externally Generated Server Certificate for an Interface
-
Add the CA certificate to the list of trusted sources for the web interface, click Admin Settings > Interfaces > web > Edit > External Trusted CAs.
-
Restart the web server, click Admin Settings > Services > web > Restart.
-
Create a registration token for the CTE agent. See Creating a Registration Token for more information.
CTE for Kubernetes Setup for Client Registration
-
Add the Registration token to the configuration file
cte-csi-regtoken.yaml
with theregistration_token
parameter.apiVersion: v1 kind: Secret metadata: name: cm-reg-token type: Opaque data: This is a base64 encoded registration token. To generate: echo -n <CM REGISTRATION TOKEN STRING> | base64 -w 0 cm-reg-token: <registration token in base64 format>
-
Create a Kubernetes secret(s) with client certificate details:
kubectl create secret generic <client-secret-name> --from-file=<clientName>.crt=client_cert.pem --from-file=<clientName>.key=client_key.pem --from-file=<clientName>.passphrase=<passphrase>
where:
*<client-secret-name>
= unique name for secret
*<clientName>
= unique name for client
*<passphrase>
= passphrase for clientExample
kubectl create secret generic <client-secret-name> --from-file=client1.crt=client_cert.pem --from-file=client1.key=client_key.pem --from-file=client1.passphrase=passphrase
You can also use files from a specific path as a Partial or Absolute path:
kubectl create secret generic <client-secret-name> --from-file=<clientName>.crt=./client1/client_cert.pem --from-file=client1.key=./client1/client_key.pem --from-file=client1.passphrase=./client1/passphrase
To create multiple client certificate details (certificate, key and passphrase) with the secret:
kubectl create secret generic <client-secret-name> --from-file=<client1Name>.crt=<client1_cert.pem> --from-file=<client1Name>.key=<client1_key.pem> --from-file=<client1Name>.passphrase=<client1-passphrase> --from-file=<client2Name>.crt=<client2_cert.pem> --from-file=<client2Name>.key=<client2_key.pem> --from-file=<client2Name>.passphrase=<client2-passphrase>
where:
*<client-secret-name>
= unique name for secret
*<clientName>
= unique name for client
*<passphrase>
= passphrase for clientExample
kubectl create secret generic client1-client2-secret --from-file=client1.crt=client1_cert.pem --from-file=client1.key=client1_key.pem --from-file=client1.passphrase=client1-passphrase --from-file=client2.crt=client2_cert.pem --from-file=client2.key=client2_key.pem --from-file=client2.passphrase=client2-passphrase
If certificates are on different paths, provide the filename with the path (Partial or Absolute path)
kubectl create secret generic client1-client2-secret --from-file=client1.crt=./client1/client_cert.pem --from-file=client1.key=./client1/client_key.pem --from-file=client1.passphrase=./client1/passphrase --from-file=client2.crt=./client2/client_cert.pem --from-file=client2.key=./client2/client_key.pem --from-file=client2.passphrase=./client2/passphrase
Note
There must be an additional client certificate detail added to the secret
parameter external_ca_client_secret: <client-secret-name>
. This additional detail is required for each storage class deployment. This is because there is an additional requirement forSigner Registration
for each storage class. This Signer Registration is an additional default registration). -
Create the storage-class yaml file with a client secret name:
While creating the storage-class configuration file
cte-storageclass.yaml
add the following parameter:external_ca_client_secret: <client-secret-name>
Also make sure that the registration token secret name from the
cte-csi-regtoken.yaml
is correct and contains the following parameter:registration_token_secret: cm-reg-token
cte-storageclass.yaml
apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: csi-test-sc provisioner: csi.cte.cpl.thalesgroup.com reclaimPolicy: Delete volumeBindingMode: Immediate allowVolumeExpansion: true parameters: Domain name or IP address of the CipherTrust Manager (Required) key_manager_addr: 192.168.70.1 Name of the CipherTrust Manager K8s Storage Group. (Required) k8_storage_group: test-group Kubernetes Secret with CipherTrust Manager registration token (Required) registration_token_secret: cm-reg-Token Kubernetes secret with External CA signed client certificate (Optional) external_ca_client_secret: <client-secret-name> Description will be displayed in ${cm} (Optional) client_description: "K8s client" Time in minutes to wait before unregistering from the ${cm}. Default is 10 minutes. Once all volumes have been unguarded. Parameter must be added as a string integer value. (Optional) registration_period: "10"
Note
-
Each storage-class will have its own client secret with a client certificate, key and passphrase details.
-
If one storage-class is being used over multiple worker nodes, then the client secret will have multiple client details (certificate, key and passphrase)