This page provides instructions to do the following tasks:
- Incorporate Custom CA certificates to the Styra DAS backend.
- Encrypt communications between load balancer and the Styra DAS.
- Integrate an External Secret Source.
Custom CA Certificates
In environments where the Styra DAS backend communicates with the user internal services through Transport Layer Security (TLS) certificates issued by custom Certificate Authorities (CAs), the backend must be provided with the following trusted CA certificates.
Incorporate CA certificates to the Styra DAS backend:
Configmapthat has the trusted CA certificate(s). For example,
Add a key or value pair for each trusted certificate. For example, data keys
Mount the configmap as a volume to the deployment. For example, mount path named
SSL_CERT_DIRenvironment variable in the deployment to point to the volume mount
Configmap volume mount modification and environment variable setting (Step 3 and Step 4) must be done to every DAS backend deployment, the PostgreSQL, and Elasticsearch deployments being the only exceptions.
When you complete the above steps, the DAS backend deployments should have a
/cacerts directory, which includes the certificate files
ca-cert-N.pem, and the
SSL_CERT_DIR environment variable pointing to
In environments where the communication between Styra DAS gateway and services such as a load balancer must be encrypted, the gateway can be configured to use TLS.
Incorporate TLS private key and certificate PEMs to the Styra gateway service:
Update the existing "settings" configmap, with a key/value pair for the certificate as follows:
- value: the PEM contents of the certificate.
Update the existing "credentials" secret, with a key/value pair for the private key as follows:
- value: the PEM contents of the private key.
When you complete the above steps, restart the gateway pod to utilize port
https (as opposed to port 8080 for http) for communication.
Kubernetes readiness/liveness probe communication remains on non-secure port 8080, regardless of TLS configuration.
Integrate an External Secret Source
The default Styra DAS setup loads its credentials from Kubernetes secrets. Based on the Kubernetes best practices, this is done by mounting the credentials secret map as a file system volume.
In environments where Kubernetes secrets are not used in their secret management, you can integrate an external secret source with Styra DAS using the following instructions:
Create an init container to load the necessary secrets from the external source. After loading the secrets, the init container should create the secrets as individual files under
/credentialsdirectory for the main pod to use. The init container should create the following files under
/credentialsdirectory, to the extent that these secrets are available.
a. For AWS credentials, the files
b. For PostgreSQL credentials, the files
c. For email (SMTP) credentials, the files
Introduce this init container for all the pods, with the exception of Elasticsearch and PostgreSQL pods.
The existing volume mount of the credentials secret should be removed from these pods.