...
| Code Block | ||||
|---|---|---|---|---|
| ||||
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: RAPP-NAME-outbound-filter
namespace: RAPP-NS
spec:
workloadSelector:
labels:
app.kubernetes.io/name: RAPP-NAME
configPatches:
# The first patch adds the lua filter to the listener/http connection manager
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value: # lua filter specification
name: envoy.lua
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
inlineCode: |
function envoy_on_request(request_handle)
local uri = request_handle:headers():get(":path")
local method = request_handle:headers():get(":method")
if (method ~= "POST" and path ~= "/auth/realms/REALM-NAME/protocol/openid-connect/token")
then
-- Make an HTTP call to an upstream host with the following headers, body, and timeout.
local headers, body = request_handle:httpCall(
"jwt_cluster",
{
[":method"] = "GET",
[":path"] = "/token",
[":authority"] = "jwt-proxy",
["realm"] = "REALM-NAME",
["client"] = "CLIENT-NAME"
},
"jwt call",
5000)
if (headers["authorization"] ~= nil)
then
request_handle:headers():add("authorization", headers["authorization"])
end
end
end
- applyTo: CLUSTER
match:
context: SIDECAR_OUTBOUND
patch:
operation: ADD
value: # cluster specification
name: jwt_cluster
type: STRICT_DNS
connect_timeout: 60s
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: jwt_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: 0.0.0.0
port_value: 8888 |
CFSSL
CFSSL is CloudFlare's PKI/TLS tool. It is both a command line tool and an HTTP API server for signing, verifying, and bundling TLS certificates.
To run this you first need to create an image with cfssl installed:
| Code Block | ||||
|---|---|---|---|---|
| ||||
FROM debian:latest
RUN apt-get update && apt-get install -y curl && \
curl -L https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssl_1.5.0_linux_amd64 -o /usr/local/bin/cfssl && \
curl -L https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssljson_1.5.0_linux_amd64 -o /usr/local/bin/cfssljson && \
chmod +x /usr/local/bin/cfssl && \
chmod +x /usr/local/bin/cfssljson
RUN mkdir /config
RUN mkdir /certs
WORKDIR /certs
EXPOSE 8888
EXPOSE 8889
ENTRYPOINT ["cfssl version"] |
This will install cfssl on a debian image.
You can then use this image to create a cfssl service in your k8s cluster/.
kubectl create -f rapps-cfssl.yaml
Once the pod is up and running you can connect to it by using port forwarding:
kubectl port-forward service/rapps-cfssl 8888:8888
You can generate signed certificates using a post request like the following:
curl -s -X POST -H "Content-Type: application/json" -d @./rapp-helloworld-provider-server.json http://127.0.0.1:8888/api/v1/cfssl/newcert
The rapp-helloworld-provider-server.json looks like this:
| Code Block | ||||
|---|---|---|---|---|
| ||||
{
"request":{
"hosts":[
"rapp-helloworld-provider"
],
"names":[
{
"C":"IE",
"ST":"Ireland",
"L":"Dublin",
"O":"EST Rapp Provider",
"OU":"EST Rapp Provider hosts"
}
],
"CN":"rapp-helloworld-provider",
"key":{
"algo":"rsa",
"size":2048
}
},
"profile":"server"
} |
To parse the response contents you can use the following method:
NEWCERT=$(curl -s -X POST -H "Content-Type: application/json" -d @./rapp-helloworld-provider-server.json http://127.0.0.1:8888/api/v1/cfssl/newcert)
echo $NEWCERT | jq -r .result.certificate
echo $NEWCERT | jq -r .result.private_key