oc new-project mtls
mkdir -p tls/{ca,server,client}
This section is to simulate a private certificate authority.
-
Certificate Authority (CA)
openssl req -new -newkey rsa:2048 -x509 -keyout tls/ca/ca.key -out tls/ca/ca.crt -days 365 -subj "/CN=mycompany.com" -
Create a Truststore
keytool -import -storepass password -file tls/ca/ca.crt -alias mycompany.com -keystore tls/ca/truststore
-
Server Key
keytool -genkeypair -storepass password -keyalg RSA -keysize 2048 -dname "CN=server" -alias server -keystore tls/server/server.keystore -
Certificate Signing Request (CSR)
keytool -certreq -storepass password -keyalg rsa -alias server -keystore tls/server/server.keystore -file tls/server/server.csr -
Certificate Authority Sign
openssl x509 -req -CA tls/ca/ca.crt -CAkey tls/ca/ca.key -in tls/server/server.csr -out tls/server/server.crt -days 365 -CAcreateserial keytool -import -v -trustcacerts -alias root -file tls/ca/ca.crt -keystore tls/server/server.keystore keytool -import -v -trustcacerts -alias server -file tls/server/server.crt -keystore tls/server/server.keystore3.1 Verify the chain
``` keytool -list -v -keystore tls/server/server.keystore ``` -
Import to truststore
keytool -import -storepass password -file tls/server/server.crt -alias server -keystore tls/ca/truststore
-
Client Key
keytool -genkeypair -storepass password -keyalg RSA -keysize 2048 -dname "CN=client" -alias client -keystore tls/client/client.keystore -
Certificate Signing Request (CSR)
keytool -certreq -storepass password -keyalg rsa -alias client -keystore tls/client/client.keystore -file tls/client/client.csr -
Certificate Authority Sign
openssl x509 -req -CA tls/ca/ca.crt -CAkey tls/ca/ca.key -in tls/client/client.csr -out tls/client/client.crt -days 365 -CAcreateserial keytool -import -v -trustcacerts -alias root -file tls/ca/ca.crt -keystore tls/client/client.keystore keytool -import -v -trustcacerts -alias client -file tls/client/client.crt -keystore tls/client/client.keystore3.1 Verify the chain
``` keytool -list -v -keystore tls/client/client.keystore ``` -
Import to truststore
keytool -import -storepass password -file tls/client/client.crt -alias client -keystore tls/ca/truststore
-
Server Secret
oc create secret generic server --from-file=tls/server/ -
Client Secret
oc create secret generic client --from-file=tls/client/ -
Truststore Secret
oc create secret generic truststore --from-file=tls/ca/truststore
-
Server
JVM:
oc new-build --name=server registry.access.redhat.com/redhat-openjdk-18/openjdk18-openshift~https://github.com/openlab-red/quarkus-mtls-quickstart --context-dir=/quarkus-server-mtlsNative:
oc new-build --name=server quay.io/quarkus/ubi-quarkus-native-s2i:19.3.1-java11~https://github.com/openlab-red/quarkus-mtls-quickstart --context-dir=/quarkus-server-mtls oc patch bc/server -p '{"spec":{"resources":{"limits":{"cpu":"6", "memory":"6Gi"}}}}' -
Client
JVM:
oc new-build --name=client registry.access.redhat.com/redhat-openjdk-18/openjdk18-openshift~https://github.com/openlab-red/quarkus-mtls-quickstart --context-dir=/quarkus-client-mtlsNative:
oc new-build --name=client quay.io/quarkus/ubi-quarkus-native-s2i:19.3.1-java11~https://github.com/openlab-red/quarkus-mtls-quickstart --context-dir=/quarkus-client-mtls oc patch bc/server -p '{"spec":{"resources":{"limits":{"cpu":"6", "memory":"6Gi"}}}}'
oc apply -f manifest/
The following kubernetes components will be created:
- server ConfigMap
- server Service
- client ConfigMap
- client Service
- client Route
The following kubernetes components will be created:
- server Deployment
- client Deployment
-
Provide the
viewrole to the default service account.oc policy add-role-to-user -z default view -
Deploy
oc apply -f manifest/kuberntes-config/
-
Deploy in JVM mode
oc apply -f manifest/jvm/ -
Deploy in Native mode
oc apply -f manifest/native/
curl http://<client-external-address>/hello-client
hello from server