Configure Management and Control Plane Authentication with TLS Encryption
SUMMARY This topic describes how to configure management and control plane authentication with TLS Encryption in CN2 Release 22.4 or later in a Kubernetes-orchestrated environment.
Overview
CN2 supports management and control plane authentication with TLS encryption. The TLS protocol is used for certificate exchange, mutual authentication, and negotiating ciphers to secure the stream from potential tampering and eavesdropping.
Certificates are part of the deployment used to bring up CN2. In Kubernetes all
certificates are translated to secrets. By default, the certificate and secrets for the
Contrail control plane and vRouter are automatically generated in the
ContrailCertificateManager
CRD. If desired, you can also create
certificates for other components, such as Sandesh and the Contrail API server.
You can generate certificates using one of the following tools:
-
cert-manager (default): The cert-manager tool adds certificates as resource types in Kubernetes clusters and simplifies the process of obtaining, renewing and using those certificates. By default, the certificate is valid for 10 years and automatically renews 15 days before its expiration date.
-
go-crypto: go-crypto is a cryptographic package you can use to generate certificates. This package is a lightweight generator that does not use containers. By default, the certificate is valid for 10 years, but is not automatically renewed.
Considerations
Read through this list of considerations before you begin the configuration:
-
When a certificate is renewed, you must restart the pod.
-
You must enable TLS encryption for the Contrail control plane and vRouter, even if a certificate is provided.
-
If you are creating your own certificate authority (CA), the secret must contain the keys
tls.crt
andtls.key
.
Configure TLS Encryption for Contrail Control Plane and vRouter
Follow the steps in this procedure to easily configure TLS encryption for the Contrail control plane and vRouter.
By default, TLS encryption is enabled for XMPP and introspect for control and vRouter. TLS-based XMPP is used to secure all XMPP communication that occurs in the networking environment. If you prefer, you can disable TLS encryption by specifying the false variable under the spec field in your control and vRouter YAML files. For example:
xmppAuthEnable: false introspectSslEnable: false
To configure TLS encryption for the Contrail control plane and vRouter: