API Manager with SSL
First, upload your certificate file with .p12 extension to Kubernetes as a secret.
kubectl create secret generic manager-tls --from-file=manager.p12 -n apinizer
POWERSHELL
Finding the Alias of a certificate
keytool -list -v -keystore portal.p12 -storetype PKCS12
POWERSHELL
Creating PKCS12 from JKS
keytool -genkeypair -alias <ALIAS> -keyalg RSA -keysize 4096 -storetype PKCS12 -keystore manager.p12 -validity 3650 -storepass <PASSWORD>
POWERSHELL
Add your file with the extension .p12 to the /etc/ssl/certs directory.
Variables that need to be defined:
Variable | Description |
---|---|
SSL_KEY_STORE | The path to the keystore containing the SSL certificate. In our example, we want Spring Boot to look for this in classpath. |
SSL_KEY_STORE_PASSWORD | The password used to access the keystore. |
SSL_KEY_STORE_TYPE | Type of keystore (Usage: PKCS12). |
SSL_KEY_ALIAS | Alias that identifies the key in the keystore. |
SSL_ENABLED | Enables the Spring Boot application to use the HTTPS protocol. |
SERVER_PORT | The port the server is listening on. 8443 is used instead of the default 8080. |
An example Api Manager deployment yaml file:
apiVersion: apps/v1
kind: Deployment
metadata:
name: manager
namespace: apinizer
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: manager
version: v1
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 75%
type: RollingUpdate
template:
metadata:
labels:
app: manager
version: v1
spec:
automountServiceAccountToken: true
volumes:
- name: manager-tls
secret:
secretName: manager-tls
containers:
- env:
- name: JAVA_OPTS
value: ' -XX:MaxRAMPercentage=75.0 -Dlog4j.formatMsgNoLookups=true'
- name: LOGGING_LEVEL_ROOT
value: INFO
- name: LOGGING_LEVEL_com_apinizer_manager
value: INFO
- name: SPRING_SERVLET_MULTIPART_MAX_FILE_SIZE
value: 20MB
- name: SPRING_SERVLET_MULTIPART_MAX_REQUEST_SIZE
value: 50MB
- name: SPRING_PROFILES_ACTIVE
value: prod
- name: SSL_KEY_STORE
value: /etc/ssl/manager.p12
- name: SSL_KEY_STORE_PASSWORD
value: <PASSWORD>
- name: SSL_KEY_STORE_TYPE
value: PKCS12
- name: SSL_KEY_ALIAS
value: <ALIAS>
- name: SSL_ENABLED
value: "true"
- name: SERVER_PORT
value: "8443"
- name: SPRING_DATA_MONGODB_URI
valueFrom:
secretKeyRef:
key: dbUrl
name: mongo-db-credentials
- name: SPRING_DATA_MONGODB_DATABASE
valueFrom:
secretKeyRef:
key: dbName
name: mongo-db-credentials
volumeMounts:
- name: manager-tls
mountPath: /etc/ssl/
image: apinizercloud/manager:<APINIZER_VERSION>
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /bin/sh
- -c
- sleep 10
livenessProbe:
failureThreshold: 3
httpGet:
path: /apinizer/management/health
port: 8443
scheme: HTTPS
initialDelaySeconds: 120
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 30
name: manager
ports:
- containerPort: 8443
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /apinizer/management/health
port: 8443
scheme: HTTPS
initialDelaySeconds: 120
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 30
resources:
limits:
cpu: 1
memory: 3Gi
securityContext:
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
startupProbe:
failureThreshold: 3
httpGet:
path: /apinizer/management/health
port: 8443
scheme: HTTPS
initialDelaySeconds: 90
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 30
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
---
apiVersion: v1
kind: Service
metadata:
name: manager
namespace: apinizer
labels:
app: manager
spec:
selector:
app: manager
type: NodePort
ports:
- name: http
port: 8443
nodePort: 32081
YML
Creating Certificate
Steps to follow to create your own certificate.
# Creating a Private Key
openssl genrsa -out server.key 2048
# Creating CSR (Certificate Signing Request)
openssl req -new -key server.key -out server.csr
# Signed Certificate
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
# PKCS#12 format
openssl pkcs12 -export -out manager.p12 -inkey server.key -in server.crt
POWERSHELL