This page provides instructions to do the following tasks:
- Incorporate Custom CA certificates to the Styra DAS backend.
- Encrypt communications between load balancer and the Styra DAS.
- Integrate an External Secret Source.
Custom CA Certificates
In environments where the Styra DAS backend communicates with the user internal services through Transport Layer Security (TLS) certificates issued by custom Certificate Authorities (CAs), the backend must be provided with the following trusted CA certificates.
Incorporate CA certificates to the Styra DAS backend by creating a
Configmap that has the trusted CA certificate(s). For example, a
trusted-ca-certs. If you have a directory containing the CA certificate .pem file(s):
kubectl create configmap trusted-ca-certs --from-file=<Certificate directory>
kubectl label configmap trusted-ca-certs app.kubernetes.io/managed-by=Helm
kubectl annotate configmap trusted-ca-certs meta.helm.sh/release-name=styra-das
When you complete the above steps, the DAS backend deployments should have a
/cacerts directory, which includes the certificate file(s) and the
SSL_CERT_DIR environment variable pointing to
In environments where the communication between Styra DAS gateway and services such as a load balancer must be encrypted, the gateway can be configured to use TLS.
Incorporate TLS private key and certificate PEMs to the Styra gateway service:
Update the existing "settings" configmap, with a key/value pair for the certificate as follows:
- value: the PEM contents of the certificate.
Update the existing "credentials" secret, with a key/value pair for the private key as follows:
- value: the PEM contents of the private key.
When you complete the above steps, restart the gateway pod to utilize port
https (as opposed to port
http) for communication.
Kubernetes readiness/liveness probe communication remains on non-secure port 8080, regardless of TLS configuration.
Integrate an External Secret Source
The default Styra DAS setup loads its credentials from Kubernetes secrets. Based on the Kubernetes best practices, this is done by mounting the credentials secret map as a file system volume.
In environments where Kubernetes secrets are not used in their secret management, you can integrate an external secret source with Styra DAS using the following instructions:
Create an init container to load the necessary secrets from the external source. After loading the secrets, the init container should create the secrets as individual files under
/credentialsdirectory for the main pod to use. The init container should create the following files under
/credentialsdirectory, to the extent that these secrets are available.
a. For AWS credentials, the files
b. For PostgreSQL credentials, the files
c. For email (SMTP) credentials, the files
Introduce this init container for all the pods, with the exception of Elasticsearch and PostgreSQL pods.
The existing volume mount of the credentials secret should be removed from these pods.