lightbend / cloudflow

Cloudflow enables users to quickly develop, orchestrate, and operate distributed streaming applications on Kubernetes.
https://cloudflow.io
Apache License 2.0
321 stars 90 forks source link

Cloudflow application support for TLS certificates #860

Open huntc opened 4 years ago

huntc commented 4 years ago

Would it be possible to have Cloudflow support the delivery of TLS certificates by Kubernetes for the purposes of both supporting trusted ingress and egress?

Kubernetes provides a degree of support for managing and delivering TLS certificates to containers. Our client has self-signed certificates and wishes these to made available to Cloudflow application containers at the point of deployment. My understanding is that a directory for the TLS certificates is declared using kubectl.

From a Cloudflow perspective, I'd imagine that its focus is to assume a directory where certificates are delivered to. For the purposes of egress, the startup of a Cloudflow application container could invoke keytool to make the certificate known to the contained JVM, and therefore trusted. For the purposes of ingress, this directory path should be provided as a JVM property whereupon some naming convention could be used to locate certificates for the purposes of binding (for example).

I note a previous issue raised similar in nature, where the solution was to encode the secret at build time; again, we wish to defer encoding sensitive data until the point of deployment.

Also, as pointed out to me, Red Hat Developer documents an approach to supporting the setup of CAs for the JVM on Kubernetes. At a minimum, having the Cloudflow documentation describe or reference this approach might be useful.

Thanks.

RoryStokes commented 4 years ago

I think a reasonable 2-part approach here aligned with the Red Hat approach would be:

  1. Update Cloudflow to allow for initContainers to be specified for streamlets
  2. (optional) As part of the enterprise suite, publish a utility container designed for this purpose that includes scripting to load any certificates that are provided via a volume mount to the keystore

That would allow developers to support a wide range of init tasks via custom images, while also providing a new avenue for value-adds from the enterprise suite. Once these capabilities exist, the helm templates could be revised to make this specific use case much simpler to configure at deploy time.