diff --git a/docs/CONFIGURATION_MTLS.md b/docs/CONFIGURATION_MTLS.md index 76f24567..904f1264 100644 --- a/docs/CONFIGURATION_MTLS.md +++ b/docs/CONFIGURATION_MTLS.md @@ -1,66 +1,123 @@ # Configuring mTLS: Guidelines and Instructions -- **Step-1:** Create a ca-config.cnf file +**Step-1:** Create a ca-config.cnf file [ req ] + default_bits = 2048 + distinguished_name = req_distinguished_name + req_extensions = req_ext + x509_extensions = v3_ca + [ req_distinguished_name ] + countryName = Country Name (2 letter code) + countryName_default = IN + stateOrProvinceName = State or Province Name (full name) + stateOrProvinceName_default = Tamil Nadu + localityName = Locality Name (eg, city) + localityName_default = Chennai + organizationName = Organization Name (eg, company) + organizationName_default = Kubviz + commonName = Common Name (e.g. server FQDN or YOUR name) + commonName_max = 64 + [ req_ext ] + subjectAltName = @alt_names + [ v3_ca ] + subjectAltName = @alt_names + [ alt_names ] + DNS.1 = kubviz-client-nats + DNS.2 = kubviz-client + DNS.3 = kubviz-agent -- **Step-2:** Create ca-cert.pem +**Step-2:** Create ca-cert.pem +```bash openssl genrsa -out ca-key.pem 4096 +``` + +```bash openssl req -new -x509 -days 365 -key ca-key.pem -out ca-cert.pem -subj "/C=IN/ST=Tamil Nadu/L=Chennai/O=Kubviz/CN=KubvizCA" +``` -- **Step-3:** Create the Server Certificate +**Step-3:** Create the Server Certificate +```bash openssl genrsa -out server-key.pem 4096 +``` + +```bash openssl req -new -key server-key.pem -out server-csr.pem -subj "/C=IN/ST=Tamil Nadu/L=Chennai/O=Kubviz/CN=kubviz-client-nats" -config ca-config.cnf -extensions req_ext +``` + +```bash openssl x509 -req -days 365 -in server-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem -extfile ca-config.cnf -extensions v3_ca +``` -- **Step-4:** Create the Client Certificate +**Step-4:** Create the Client Certificate +```bash openssl genrsa -out client-key.pem 4096 +``` + +```bash openssl req -new -key client-key.pem -out client-csr.pem -subj "/C=IN/ST=Tamil Nadu/L=Chennai/O=Kubviz/CN=kubviz-client" -config ca-congig.cnf -extensions req_ext +``` + +```bash openssl x509 -req -days 365 -in client-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial 02 -out client-cert.pem -extfile ca-config.cnf -extensions v3_ca +``` -- **step-5:** Create the agent certificate +**step-5:** Create the agent certificate +```bash openssl genrsa -out agent-key.pem 4096 +``` + +```bash openssl req -new -key agent-key.pem -out agent-csr.pem -subj "/C=IN/ST=Tamil Nadu/L=Chennai/O=Kubviz/CN=kubviz-agent" -config ca-config.cnf -extensions req_ext -openssl x509 -req -days 365 -in agent-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial 02 -out agent-cert.pem -extfile ca-config.cnf -extensions v3_ca +``` -- **step-6:** Create secrets +```bash +openssl x509 -req -days 365 -in agent-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial 02 -out agent-cert.pem -extfile ca-config.cnf -extensions v3_ca +``` +**step-6:** Create secrets +```bash kubectl create secret generic kubviz-client-ca-cert --from-file=client-cert.pem --from-file=client-key.pem --from-file=ca-cert.pem -n kubviz +``` +```bash kubectl create secret generic kubviz-agent-ca-cert --from-file=agent-cert.pem --from-file=agent-key.pem --from-file=ca-cert.pem -n kubviz +``` +```bash kubectl create secret generic kubviz-server-ca-cert --from-file=server-cert.pem --from-file=server-key.pem --from-file=ca-cert.pem -n kubviz +``` #### if you want to enable mtls add the secret name in client/values.yaml also mtls.enabled:true -- **Step-7:** Add the secret name in client/value.yaml +**Step-7:** Add the secret name in client/value.yaml Below is the nats configuration @@ -76,7 +133,7 @@ tls: ... ``` -- **Step-8:** Add the secret name in client/value.yaml +**Step-8:** Add the secret name in client/value.yaml ```yaml mtls: @@ -86,7 +143,7 @@ mtls: ... ``` -- **Step-9:** Add the secret name in agent/value.yaml +**Step-9:** Add the secret name in agent/value.yaml ```yaml mtls: