Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure Management and Control Plane Authentication with TLS Encryption

SUMMARY This topic describes how to configure management and control plane authentication with TLS Encryption in CN2 Release 22.4 or later in a Kubernetes-orchestrated environment.

Overview

CN2 supports management and control plane authentication with TLS encryption. The TLS protocol is used for certificate exchange, mutual authentication, and negotiating ciphers to secure the stream from potential tampering and eavesdropping.

Certificates are part of the deployment used to bring up CN2. In Kubernetes all certificates are translated to secrets. By default, the certificate and secrets for the Contrail control plane and vRouter are automatically generated in the ContrailCertificateManager CRD. If desired, you can also create certificates for other components, such as Sandesh and the Contrail API server.

You can generate certificates using one of the following tools:

  • cert-manager (default): The cert-manager tool adds certificates as resource types in Kubernetes clusters and simplifies the process of obtaining, renewing and using those certificates. By default, the certificate is valid for 10 years and automatically renews 15 days before its expiration date.

  • go-crypto: go-crypto is a cryptographic package you can use to generate certificates. This package is a lightweight generator that does not use containers. By default, the certificate is valid for 10 years, but is not automatically renewed.

Considerations

Read through this list of considerations before you begin the configuration:

  • When a certificate is renewed, you must restart the pod.

  • You must enable TLS encryption for the Contrail control plane and vRouter, even if a certificate is provided.

  • If you are creating your own certificate authority (CA), the secret must contain the keys tls.crt and tls.key.

Configure TLS Encryption for Contrail Control Plane and vRouter

Follow the steps in this procedure to easily configure TLS encryption for the Contrail control plane and vRouter.

Note:

By default, TLS encryption is enabled for XMPP and introspect for control and vRouter. TLS-based XMPP is used to secure all XMPP communication that occurs in the networking environment. If you prefer, you can disable TLS encryption by specifying the false variable under the spec field in your control and vRouter YAML files. For example:

To configure TLS encryption for the Contrail control plane and vRouter:

  1. Specify the generatortype, either cert-manager or go-crypto in ContrailCertificateManager. The default generator is cert-manager.
    In Kubernetes all certificates are translated to secrets. When you generate the certificate, the secrets are automatically created when you apply your deployment.yaml file.
    The following examples show certificates created in cert-manager and go-crypto for control and vRouter:

    Example using cert-manager:

    Example using gocrypto:
  2. Apply your deployment.yaml file to generate the certificate.
  3. Verify your configuration.

    Run the following kubectl commands to verify that the certificate and secrets were successfully generated.

    By default, certificates and secrets are automatically generated in ContrailCertificateManager. You can also create secrets for other components or create your own CA.
    To create secrets for other components, specify the component(s) you want to use in either cert-manager or gocrypto. You can use one secret for multiple components.

    The available components are:

    • control-xmpp

    • vrouter-sandesh

    • control-sandesh

    • contrail-api-server

    • vrouter-xmpp

    If you did not enter a casecret in ContrailCertificateManager, a self-signed certificate is automatically created. This self-signed certificate is valid for 10 years.

    If desired, you can specify your own CA certificate as shown in the following example. The secret must contain the keys tls.crt and tls.key.

    Run the kubectl apply -f ca-key-pair.yaml command to apply the secret.