Mutual TLS (mTLS) is a good way to secure your sensitive information when it travels over the Internet. One draw-back is that certificates needs to be renewed every now and then and if you have many applications using the same certificate chain, eg. a company with many micro services that handle sensitive information, you often find yourself needing to change the key store in many applications every time the certificate reaches its expiry. One way to handle this in a Kubernetes environment is to have all the micro services using the same key store via a Secrets or ConfigMap object.
Here is how to set it up:
1. Create a Secret (or ConfigMap) with the key stores you need (I’ve also added a trust store here):
kubectl create secret generic shared-trust-and-key-stores --from-file=keystore.p12 --from-file=truststore.jks
2. (Optional) Create a Secret to hold the pass phrases for the key stores
kubectl create secret generic shared-trust-and-key-store-credentials --from-literal=truststore_password=secret1 --from-literal=key_password=secret2 --from-literal=keystore_password=secret3
3. For every application setup a volume and mount the Secret (or ConfigMap) into that volume:
...
containers:
- name: mypod
image: myimage
volumeMounts:
- name: shared-keystores
mountPath: "/etc/ssl"
volumes:
- name: shared-keystores
secret:
secretName: shared-trust-and-key-stores
...
4. (Optional) Map the pass phrase Secret as environment variables in the pod
...
containers:
- name: mypod
image: myimage
env:
- name: TRUSTSTORE_PASSWORD
valueFrom:
secretKeyRef:
name: shared-trust-and-key-store-credentials
key: truststore_password
- name: KEY_PASSWORD
valueFrom:
secretKeyRef:
name: shared-trust-and-key-store-credentials
key: key_password
- name: KEYSTORE_PASSWORD
valueFrom:
secretKeyRef:
name: shared-trust-and-key-store-credentials
key: keystore_password
...
Now in our application all we have to do is to point it to /etc/ssl for our key stores
* key store: /etc/ssl/keystore.p12
* trust store: /etc/ssl/truststore.jks
and if you are using the shared-trust-and-key-stores-credetials you will find the pass phrases as environment variables called:
* KEY_PASSWORD
* KEYSTORE_PASSWORD
* TRUSTSTORE_PASSWORD
When the time comes for renewing the certificates you only have to change in one place
Tested on WMVare Tansu v1.23.8