Eleanor is a consultant at red hat, interested in containerized application development and user interface design.

Configuring SSL Encryption for an Application on OpenShift

Eleanor Mehlenbacher

You can use Secure Socket Layer (SSL) encryption to secure the data that moves between your application on OpenShift and a database manager, web server, etc. More info on SSL here.

Once you've configured your database instance or server to use SSL, you'll need a certificate/encryption key to establish the secure connection from the application side. You can get a certificate by either creating a new certificate request and submitting it to a CA to be signed, or creating your own self-signed certificate (usually recommended just for testing purposes). This cert should be extracted to a file so that you can distribute it to the containers that are establishing SSL connections to your external server.

Here are the steps for mounting a cert/keystore to a running application in OpenShift.

Creating an OpenShift Secret From a File

First, put your newly created keystore file into an empty directory. We will then use the OpenShift CLI to create a secret from the contents of this directory in your project.

mkdir [keystore-directory]
mv [keystore-file] [keystore-directory]
oc create secret generic [secret-name] --from-file=. -n [project-name]

If you export your created secret (with oc export secret [secret-name] -n [project-name]), it should look something like this, with the secret named "keystore":

apiVersion: v1
data:
    keystore: [keystore-text]
kind: Secret
metadata:
    name: keystore
type: Opaque

Mounting the Secret in the Container

After you've created a secret from your keystore file, it's time to mount it as a volume in your application container. Use your application's Deployment Config to configure the name of the volume, where you want the file to be located in the container, and any necessary environment variables.

In the DeployConfig's spec > template > spec section, add a volume for the keystore file:

volumes:
    - name: keystore-volume
      secret:
          secretName: keystore

Under the containers section, specify the mount path for your volume:

volumeMounts:
    - name: keystore-volume
      mountPath: /etc/config

Then add an environment variable for the pod that points to the location of your keystore in the container:

env:
    - name: KEYSTORE_PATH
      value: /etc/config/keystore

Here is a full Deployment Config with all three parts included as an example:

Using this Certificate in your Application

There are various ways to configure SSL for different applications, but in this context you'll need to make sure that the location of your keystore file is defined as the environment variable KEYSTORE_PATH above. One example of doing this for a database in a Spring Boot application.yml looks like this:

spring:
    profiles: openshift
    database:
     . . .
        env:
            ssl:
                enabled: true
                key-store: ${KEYSTORE_PATH}

When you redeploy your application, any new pods that are spun up will have this keystore file at your /etc/config/keystore location. For the database example above, the logs look something like this:

2017-10-24 13:34:25.746 INFO 1 --- [ main] com.couchbase.client.core.CouchbaseCore : CouchbaseEnvironment: {sslEnabled=true, sslKeystoreFile='/etc/config/keystore', sslKeystorePassword=false, sslKeystore=null, . . .

And this shows that the application successfully connected to the database over an SSL-encrypted channel!

Further Info

Automatically Update Credentials in LDAP, Jenkins, and OpenShift

OpenShift Blog Tech Nā€™ Talk: TensorFlow on OpenShift