...
Code Block | ||||
---|---|---|---|---|
| ||||
apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: RAPP-NAME-outbound-filter namespace: RAPP-NS spec: workloadSelector: labels: app.kubernetes.io/name: RAPP-NAME configPatches: # The first patch adds the lua filter to the listener/http connection manager - applyTo: HTTP_FILTER match: context: SIDECAR_OUTBOUND listener: filterChain: filter: name: "envoy.filters.network.http_connection_manager" subFilter: name: "envoy.filters.http.router" patch: operation: INSERT_BEFORE value: # lua filter specification name: envoy.lua typed_config: "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua" inlineCode: | function envoy_on_request(request_handle) local uri = request_handle:headers():get(":path") local method = request_handle:headers():get(":method") if (method ~= "POST" and path ~= "/auth/realms/REALM-NAME/protocol/openid-connect/token") then -- Make an HTTP call to an upstream host with the following headers, body, and timeout. local headers, body = request_handle:httpCall( "jwt_cluster", { [":method"] = "GET", [":path"] = "/token", [":authority"] = "jwt-proxy", ["realm"] = "REALM-NAME", ["client"] = "CLIENT-NAME" }, "jwt call", 5000) if (headers["authorization"] ~= nil) then request_handle:headers():add("authorization", headers["authorization"]) end end end - applyTo: CLUSTER match: context: SIDECAR_OUTBOUND patch: operation: ADD value: # cluster specification name: jwt_cluster type: STRICT_DNS connect_timeout: 60s lb_policy: ROUND_ROBIN load_assignment: cluster_name: jwt_cluster endpoints: - lb_endpoints: - endpoint: address: socket_address: address: 0.0.0.0 port_value: 8888 |
CFSSL
CFSSL is CloudFlare's PKI/TLS tool. It is both a command line tool and an HTTP API server for signing, verifying, and bundling TLS certificates.
To run this you first need to create an image with cfssl installed:
Code Block | ||||
---|---|---|---|---|
| ||||
FROM debian:latest
RUN apt-get update && apt-get install -y curl && \
curl -L https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssl_1.5.0_linux_amd64 -o /usr/local/bin/cfssl && \
curl -L https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssljson_1.5.0_linux_amd64 -o /usr/local/bin/cfssljson && \
chmod +x /usr/local/bin/cfssl && \
chmod +x /usr/local/bin/cfssljson
RUN mkdir /config
RUN mkdir /certs
WORKDIR /certs
EXPOSE 8888
EXPOSE 8889
ENTRYPOINT ["cfssl version"] |
This will install cfssl on a debian image.
You can then use this image to create a cfssl service in your k8s cluster/.
kubectl create -f rapps-cfssl.yaml
Once the pod is up and running you can connect to it by using port forwarding:
kubectl port-forward service/rapps-cfssl 8888:8888
You can generate signed certificates using a post request like the following:
curl -s -X POST -H "Content-Type: application/json" -d @./rapp-helloworld-provider-server.json http://127.0.0.1:8888/api/v1/cfssl/newcert
The rapp-helloworld-provider-server.json looks like this:
Code Block | ||||
---|---|---|---|---|
| ||||
{
"request":{
"hosts":[
"rapp-helloworld-provider"
],
"names":[
{
"C":"IE",
"ST":"Ireland",
"L":"Dublin",
"O":"EST Rapp Provider",
"OU":"EST Rapp Provider hosts"
}
],
"CN":"rapp-helloworld-provider",
"key":{
"algo":"rsa",
"size":2048
}
},
"profile":"server"
} |
To parse the response contents you can use the following method:
NEWCERT=$(curl -s -X POST -H "Content-Type: application/json" -d @./rapp-helloworld-provider-server.json http://127.0.0.1:8888/api/v1/cfssl/newcert)
echo $NEWCERT | jq -r .result.certificate
echo $NEWCERT | jq -r .result.private_key