Transport Layer Security

Connecting Client Applications to a GemFire Cluster with Default TLS

The default implementation of GemFire for Kubernetes uses cert-manager for all certificate issuers and certificates.

A certificate will need to be created for the client applications, using the same cert-manager ClusterIssuer, gemfire-ca-issuer, used by the GemFire cluster.

Here is an example of how to create a certificate with cert-manager and mount it within the client application pod.

  1. Create a Kubernetes Secret where the TLS certificate will be stored.

    apiVersion: v1
    kind: Secret
    metadata:
      name: client-cert
      namespace: <client namespace>
    stringData:
      password: <certificate encryption password>
    

    where:

    • client namespace is the namespace where the client application will be running
    • certificate encryption password is a password used by cert-manager to encrypt this TLS certificate
  2. Create a TLS certificate.

    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: client-cert
      namespace: <client namespace>
    spec:
      duration: 2160h # 90d
      renewBefore: 360h # 15d
      subject:
        organizations:
        - Example.com
      commonName: client-cert
      isCA: false
      privateKey:
        algorithm: RSA
        encoding: PKCS1
        size: 2048
      usages:
      - server auth
      - client auth
      dnsNames:
      - "*.<client namespace>"
      issuerRef:
        kind: ClusterIssuer
        name: gemfire-ca-issuer
        group: cert-manager.io
      secretName: client-cert
      keystores:
        pkcs12:
          create: true
          passwordSecretRef:
            key: password
            name: client-cert
    
  3. Mount the secret to the client application pod by adding a volumes entry and a volumeMount entry.

    apiVersion: v1
    kind: Pod
    metadata:
      name: ...
    spec:
      containers:
      - name: client
            image: ...
            volumeMounts:
            - mountPath: /certs
              name: cert-volume
      volumes:
      - name: cert-volume
        secret:
          secretName: client-cert
    
  4. Configure client application to use the TLS certificate. (See Configuring SSL for more information.)

    ...
    // encryption password may also be retrieved from /certs/password
    ClientCache client = new ClientCacheFactory()
        .set("ssl-keystore", "/certs/keystore.p12")
        .set("ssl-keystore-password", "<certificate_encryption_password>")
        .set("ssl-truststore", "/certs/truststore.p12")
        .set("ssl-truststore-password", "<keystore_encryption_password>")
        .create();
    ...
    

Providing a Custom TLS Certificate for the GemFire Operator

To incorporate custom TLS certificates, add them to Kubernetes secrets used by the Operator and the Tanzu GemFire Cluster.

Note: It is important to add the locator service, server service, GemFire locator and server members as a Subject Alternative Name (SAN) on the certificates. The name that will be used for the GemFire Cluster and the namespace in which it is deployed will determine the SAN values.

Here is an example of how to configure the GemFire Operator to use custom certificates.

  1. Create an opaque Kubernetes secret containing the custom certificates in the namespace in which you deployed the GemFire Cluster. In the following instructions, replace NAMESPACE-NAME with the name of this namespace.

    kubectl create secret generic secret-tls --namespace NAMESPACE-NAME \
            --from-file=tls.crt=<path/to/tls.crt> \
            --from-file=tls.key=<path/to/tls.key> \
            --from-file=ca.crt=<path/to/ca.crt>
    
  2. Install the GemFire operator and specify the secret containing the custom certificates.

    helm install \
            gemfire-operator gemfire-operator-2.0.0.tgz \
            --namespace NAMESPACE-NAME \
            --set tlsSecretName=secret-tls
    

The following is an example of configuring a GemFire Cluster to use custom certificates:

Note: PKCS12 or JKS formats also must be provided, along with the encryption password used when encrypting the keystores.

  1. Create a secret in the gemfire-cluster namespace.

    kubectl create secret generic secret-tls --namespace gemfire-cluster \
            --from-file=keystore.p12=<path/to/keystore.p12> \
            --from-file=truststore.p12=<path/to/truststore.p12> \
            --from-file=tls.crt=<path/to/tls.crt> \
            --from-file=tls.key=<path/to/tls.key> \
            --from-file=ca.crt=<path/to/ca.crt> \
            --from-file=password='</path/to/fileWithEncryptionPassword>'
    
  2. Create the GemFire Cluster and specify the secret containing the custom certificates in the spec.security.tls section of the custom resource definition.

    cat << EOF | kubectl create -f -
    apiVersion: gemfire.vmware.com/v1
    kind: GemFireCluster
    metadata:
      name: gemfirecluster-custom-tls
      namespace: gemfire-cluster
    spec:
      image: registry.tanzu.vmware.com/pivotal-gemfire/vmware-gemfire:9.15.0
      security:
        tls:
          secretName: secret-tls
          clientAuthenticationRequired: false
      metrics:
        emission: Default
      locators:
        replicas: 2
        resources:
          requests:
            memory: 1Gi
      servers:
        replicas: 2
        resources:
          requests:
            memory: 1Gi
    EOF
    
check-circle-line exclamation-circle-line close-line
Scroll to top icon