Using Mutual TLS for Extensions
For stronger security, the communication between the outpost agent and extensions can be secured using mutual TLS.
You need to configure a client certificate at the agent that will be used to communicate with the extensions. And also a server certificate and client CAs at the extension to verify the client certificate.
using Helm Chart
using Environment Variables
Using a Secret
In case the client certificate is stored in a secret, you can directly reference it:
outpost.extensions.tls.clientCertificate.fromSecret=some-client-secret
Using a Container path
If you put the client certificate into the container some other way, use this option to tell the outpost agent where to find it:
outpost.extensions.clientCertificate.path=/some/client.crt
outpost.extensions.clientCertificate.key.path=/some/client.key
Password Protected Private Keys
In case the private key is password protected, you can specify it as well:
Using a Value
outpost.extensions.tls.clientCertificate.key.password.value=password123
Using a Secret
outpost.extensions.tls.clientCertificate.key.password.valueFrom.secretKeyRef.name=some-secret
outpost.extensions.tls.clientCertificate.key.password.valueFrom.secretKeyRef.key=some-key
Additional Certificate Authorities
In case the extension uses custom CAs that are not known to the outpost agent, you can add them as well:
Using a Volume Mount
The volume in this sample refers to a config map, but any other volume config would work as well.
outpost.extraCertificates.fromVolume=extra-certs
outpost.extraVolumes[0].name=extra-certs
outpost.extraVolumes[0].configMap.name=self-signed-ca
Using Container Path
If you put the extra CAs into the container another way, you can specify the path to it:
outpost.extraCertificates.fromVolume=extra-certs
Client Certificate
STEADYBIT_AGENT_EXTENSIONS_CLIENT_CERT_CHAIN_FILE=/some/client.crt
STEADYBIT_AGENT_EXTENSIONS_CLIENT_CERT_KEY_FILE=/some/client.key
Password Protected Private Keys
In case the private key is password protected, you can specify it as well:
STEADYBIT_AGENT_EXTENSIONS_CLIENT_CERT_PASSWORD=password123
Additional Certificate Authorities
In case the extension uses a custom CA that is not known to the outpost agent you can add them as well.
STEADYBIT_AGENT_EXTRA_CERTS_PATH=/some/ca-certs/
If you have successfully configured the client certificate for the outpost agent, the log should contain similar output to this:
2023-07-29 06:27:05.836 INFO 1 --- [ parallel-1] c.s.k.c.service.ExtensionHttpClient : Configuring extension http client using mutual TLS (keyFile=/opt/steadybit/agent/etc/extensions/client/tls.key, chainFile=/opt/steadybit/agent/etc/extensions/client/tls.crt)
Using Helm Chart
Using Environment Variables
The
steadybit-outpost
helm charts include all extensions provided by Steadybit using a extension-*
prefix. This sample is for extension-container
, the options shown here apply to the other extensions as well. And in case you use the extensions helm chart directly, you need to strip the prefix from the examples.For the extension to require client certificates, you need to configure both the server certificate and allowed client certificates. If you only specify a server certificate, TLS is used, but client certificates are not mandatory.
Server Certificate
Using a Secret
In case the server certificate is stored in a secret, you can directly reference it:
extension-container.tls.server.certificate.fromSecret=some-server-secret
Using a Container Path
If you put the server certificate into the container some other way, use this option to tell the outpost agent where to find it:
extension-container.tls.server.certificate.path=/some/server.crt
extension-container.tls.server.certificate.key.path=/some/server.key
Client Certificates
Using Secrets
In case the client certificates are stored in secrets, you can directly reference them:
extension-container.tls.client.certificates.fromSecrets[0]=some-secret-1
extension-container.tls.client.certificates.fromSecrets[1]=some-secret-2
using Container Path
If you put the client certificates into the container some other way, use this option to tell the outpost agent where to find them:
extension-container.tls.client.certificates.paths[0]=/some/client.crt
extension-container.tls.client.certificates.paths[1]=/some/clients/
Server Certificate
STEADYBIT_EXTENSION_TLS_SERVER_CERT=/some/server.crt
STEADYBIT_EXTENSION_TLS_SERVER_KEY=/some/server.key
Client Certificates
STEADYBIT_EXTENSION_TLS_CLIENT_CAS=/some/client.crt,/some/clients/
If you have successfully configured the server certificate and the allowed client certificates for an extension, the log should contain similar output to this:
2023-07-29 06:26:51.600 INF Starting extension server on port 9093 (TLS: true)
Last modified 1mo ago