Skip to main content

Security
ENTERPRISE

This page provides instructions to do the following tasks:

Custom CA Certificates

In environments where the Styra DAS backend communicates with the user internal services through Transport Layer Security (TLS) certificates issued by custom Certificate Authorities (CAs), the backend must be provided with the following trusted CA certificates.

Incorporate CA certificates to the Styra DAS backend by creating a Configmap that has the trusted CA certificate(s). For example, a Configmap named trusted-ca-certs. If you have a directory containing the CA certificate .pem file(s):

kubectl create configmap trusted-ca-certs  --from-file=<Certificate directory>
kubectl label configmap trusted-ca-certs app.kubernetes.io/managed-by=Helm
kubectl annotate configmap trusted-ca-certs meta.helm.sh/release-name=styra-das

When you complete the above steps, the DAS backend deployments should have a /cacerts directory, which includes the certificate file(s) and the SSL_CERT_DIR environment variable pointing to /cacerts.

Encrypt Communications

In environments where the communication between Styra DAS gateway and services such as a load balancer must be encrypted, the gateway can be configured to use TLS.

Incorporate TLS private key and certificate PEMs to the Styra gateway service:

  1. Update the existing "settings" configmap, with a key/value pair for the certificate as follows:

    • key: gateway_tls_cert.pem.
    • value: the PEM contents of the certificate.
  2. Update the existing "credentials" secret, with a key/value pair for the private key as follows:

    • key: gateway_tls_private_key.pem.
    • value: the PEM contents of the private key.

When you complete the above steps, restart the gateway pod to utilize port 8443 for https (as opposed to port 8080 for http) for communication.

info

Kubernetes readiness/liveness probe communication remains on non-secure port 8080, regardless of TLS configuration.

Integrate an External Secret Source

The default Styra DAS setup loads its credentials from Kubernetes secrets. Based on the Kubernetes best practices, this is done by mounting the credentials secret map as a file system volume.

In environments where Kubernetes secrets are not used in their secret management, you can integrate an external secret source with Styra DAS using the following instructions:

  1. Create an init container to load the necessary secrets from the external source. After loading the secrets, the init container should create the secrets as individual files under /credentials directory for the main pod to use. The init container should create the following files under /credentials directory, to the extent that these secrets are available.

    a. For AWS credentials, the files aws_access_key_id and aws_secret_access_key.

    b. For PostgreSQL credentials, the files db_username and db_password.

    c. For email (SMTP) credentials, the files smtp_username and smtp_password.

  2. Introduce this init container for all the pods, with the exception of Elasticsearch and PostgreSQL pods.

info

The existing volume mount of the credentials secret should be removed from these pods.