Spring Cloud Gateway for Kubernetes supports authentication and authorization using Single Sign-On (SSO) with an OpenID identity provider which supports OpenID Connect Discovery protocol.
In some scenarios the identity provider may use a custom CA or a self-signed certificate on its HTTP endpoints. In this case the appropriate public certificate must be provided to Spring Cloud Gateway.
Spring Cloud Gateway for Kubernetes Configuration
Certificate Secret Configuration
The first step is to create the secret that will hold the certificate to connect to the authorization server.
The simplest way to do it is with kubectl cli.
kubectl create secret generic tls-cert \
--from-literal type=ca-certificates \
--from-file ca.pem=auth-server-public.cert
The only requirements are that the entries type (with value ca-certificates) and ca.pem exist. A Kubernetes TLS secret can also be used, but kubectl cli does not allow using different names for the --cert and --key parameters. The secret will need to be created by other methods, for example, directly applying a YAML resource.
Spring Cloud Gateway for Kubernetes Configuration
Then, add the secret to the sso.tls.secretName property.
apiVersion: "tanzu.vmware.com/v1"
kind: SpringCloudGateway
metadata:
name: my-gateway
spec:
sso:
secret: sso-credentials-secret
tls:
secretName: sso-tls-secret
This will add the certificate to the appropriate TrustStore to enable communication between Spring Cloud Gateway and the authorization server.
Standalone Gateway Configuration
When running Spring Cloud Gateway in Standalone, the configuration is not different from any other TLS configuration for other JVM server. Documentation can be found online.
IN summary, the options are:
- Add your certificate to the JVM TrustStore.
- Configure a dedicated CA TrustStore using
javax.net.ssl.trustStoreandjavax.net.ssl.trustStorePasswordproperties.
