taigrr/nats.docs
1
0
Fork 0
mirror of https://github.com/taigrr/nats.docs synced 2025-01-18 04:03:23 -08:00
Code Issues Projects Releases Wiki Activity

Update operator-tls-setup-with-cfssl.md

Browse Source
This commit is contained in:
Ginger Collison 2019-12-18 16:17:21 -06:00 committed by GitHub
parent b082996143
commit 469e9a9894
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 47 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
nats-on-kubernetes/operator-tls-setup-with-cfssl.md
View File

@ -12,7 +12,7 @@
### Creating the Certificates
### **Generating the Root CA Certs**
### Generating the Root CA Certs
```javascript
{
@ -41,10 +41,44 @@
Setup the profiles for the Root CA, we will have 3 main profiles: one for the clients connecting, one for the servers, and another one for the full mesh routing connections between the servers.
```bash
{ "signing": { "default": { "expiry": "43800h" }, "profiles": { "server": { "expiry": "43800h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] }, "client": { "expiry": "43800h", "usages": [ "signing", "key encipherment", "client auth" ] }, "route": { "expiry": "43800h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } }
{
"signing": {
"default": {
"expiry": "43800h"
},
"profiles": {
"server": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
},
"client": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"route": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
```
### **Generating the NATS server certs**
### Generating the NATS server certs
First we generate the certificates for the server.
@ -84,7 +118,7 @@ First we generate the certificates for the server.
)
```
### **Generating the NATS server routes certs**
### Generating the NATS server routes certs
We will also be setting up TLS for the full mesh routes.
@ -124,7 +158,7 @@ We will also be setting up TLS for the full mesh routes.
)
```
**Generating the certs for the clients \(CNCF && ACME\)**
## Generating the certs for the clients \(CNCF && ACME\)
```javascript
{
@ -150,11 +184,11 @@ We will also be setting up TLS for the full mesh routes.
)
```
**Kubectl create**
## Kubectl Create
\`\`\`sh :results output cd certs kubectl create secret generic nats-tls-example --from-file=ca.pem --from-file=server-key.pem --from-file=server.pem kubectl create secret generic nats-tls-routes-example --from-file=ca.pem --from-file=route-key.pem --from-file=route.pem kubectl create secret generic nats-tls-client-example --from-file=ca.pem --from-file=client-key.pem --from-file=client.pem
```text
```
cd certs kubectl create secret generic nats-tls-example --from-file=ca.pem --from-file=server-key.pem --from-file=server.pem kubectl create secret generic nats-tls-routes-example --from-file=ca.pem --from-file=route-key.pem --from-file=route.pem kubectl create secret generic nats-tls-client-example --from-file=ca.pem --from-file=client-key.pem --from-file=client.pem
```
### Create the Auth secret
```js
@ -235,7 +269,7 @@ spec:
#### Create APP using certs
**Adding a new pod which uses the certificates**
## Adding a new pod which uses the certificates
Development
@ -342,8 +376,8 @@ docker push wallyqs/nats-client-app
```
Pod spec
\`\`\`sh :results output echo ' apiVersion: apps/v1beta2 kind: Deployment
```
echo ' apiVersion: apps/v1beta2 kind: Deployment
## The name of the deployment
@ -389,5 +423,5 @@ template: metadata: labels: name: nats-client-app spec: volumes:
' \| kubectl apply -f -
\`\`\`
```