Skip to main content

Security

This page provides instructions to do the following tasks:

Custom CA Certificates

In environments where the Styra DAS backend communicates with the user internal services through Transport Layer Security (TLS) certificates issued by custom Certificate Authorities (CAs), the backend must be provided with the following trusted CA certificates.

Incorporate CA certificates to the Styra DAS backend:

  1. Create a Configmap that has the trusted CA certificate(s). For example, Configmap named trusted-ca-certs.

  2. Add a key or value pair for each trusted certificate. For example, data keys ca-cert-1.pem, โ€ฆ, ca-cert-N.pem.

  3. Mount the configmap as a volume to the deployment. For example, mount path named /cacerts.

  4. Set the SSL_CERT_DIR environment variable in the deployment to point to the volume mount /cacerts.

The above Configmap volume mount modification and environment variable setting (Step 3 and Step 4) must be done to every DAS backend deployment, the PostgreSQL, and Elasticsearch deployments being the only exceptions.

When you complete the above steps, the DAS backend deployments should have a /cacerts directory, which includes the certificate files ca-cert-N.pem, and the SSL_CERT_DIR environment variable pointing to /cacerts.

Encrypt Communications

In environments where the communication between Styra DAS gateway and services such as a load balancer must be encrypted, the gateway can be configured to use TLS.

Incorporate TLS private key and certificate PEMs to the Styra gateway service:

  1. Update the existing "settings" configmap, with a key/value pair for the certificate as follows:

    • key: tls_cert.pem.
    • value: the PEM contents of the certificate.
  2. Update the existing "credentials" secret, with a key/value pair for the private key as follows:

    • key: tls_private_key.pem.
    • value: the PEM contents of the private key.

When you complete the above steps, restart the gateway pod to utilize port 8443 for https (as opposed to port 8080 for http) for communication.

info

Kubernetes readiness/liveness probe communication remains on non-secure port 8080, regardless of TLS configuration.

Integrate an External Secret Source

The default Styra DAS setup loads its credentials from Kubernetes secrets. Based on the Kubernetes best practices, this is done by mounting the credentials secret map as a file system volume.

In environments where Kubernetes secrets are not used in their secret management, you can integrate an external secret source with Styra DAS using the following instructions:

  1. Create an init container to load the necessary secrets from the external source. After loading the secrets, the init container should create the secrets as individual files under /credentials directory for the main pod to use. The init container should create the following files under /credentials directory, to the extent that these secrets are available.

    a. For AWS credentials, the files aws_access_key_id and aws_secret_access_key.

    b. For PostgreSQL credentials, the files db_username and db_password.

    c. For email (SMTP) credentials, the files smtp_username and smtp_password.

  2. Introduce this init container for all the pods, with the exception of Elasticsearch and PostgreSQL pods.

info

The existing volume mount of the credentials secret should be removed from these pods.