AppsCode
  • KubeDB

    Run Production-Grade Databases on Kubernetes

    arrow_forward
    Stash

    Backup and Recovery Solution for Kubernetes

    arrow_forward
    KubeVault

    Run Production-Grade Vault on Kubernetes

    arrow_forward
    Voyager

    Secure HAProxy Ingress Controller for Kubernetes

    arrow_forward
    KubeDB

    KubeDB simplifies Provision, Upgrade, Scaling, Volume Expansion, Monitor, Backup, Restore for various Databases in Kubernetes on any Public & Private Cloud

    • task_altLower administrative burden
    • task_altNative Kubernetes Support
    • task_altPerformance
    • task_altAvailability and durability
    • task_altManageability
    • task_altCost-effectiveness
    • task_altSecurity
    Stash

    A complete Kubernetes native disaster recovery solution for backup and restore your volumes and databases in Kubernetes on any public and private clouds.

    • task_altDeclarative API
    • task_altBackup Kubernetes Volumes
    • task_altBackup Database
    • task_altMultiple Storage Support
    • task_altDeduplication
    • task_altData Encryption
    • task_altVolume Snapshot
    • task_altPolicy Based Backup
    KubeVault

    KubeVault is a Git-Ops ready, production-grade solution for deploying and configuring Hashicorp's Vault on Kubernetes.

    • task_altVault Kubernetes Deployment
    • task_altAuto Initialization & Unsealing
    • task_altVault Backup & Restore
    • task_altConsume KubeVault Secrets with CSI
    • task_altManage DB Users Privileges
    • task_altStorage Backend
    • task_altAuthentication Method
    • task_altDatabase Secret Engine
    Voyager

    Secure HAProxy Ingress Controller for Kubernetes

    • task_altHTTP & TCP
    • task_altSSL
    • task_altPlatform support
    • task_altHAProxy
    • task_altPrometheus
    • task_altLet's Encrypt
  • Guard

    Kubernetes Authentication WebHook Server

    • task_altIdentity Providers
    • task_altCLI
    • task_altRBAC
    Kubed

    Kubernetes cluster manager daemon

    • task_altDisaster Recovery
    • task_altEvent Forwarder
    • task_altConfiguration Syncer
    • task_altRecycle Bin
    • task_altEvent Notifiers
    • task_altJanitor
  • Webinar New
Swift
github-icon twitter-icon
TRY NOW FREE

We use cookies and other similar technology to collect data to improve your experience on our site, as described in our Privacy Policy.

You are looking at the documentation of a prior release. To read the documentation of the latest release, please visit here.

Securing Swift

There are 3 aspects to securing swift connections:

  • User <-> Swift Server
  • Swift Server <-> Tiller Server
  • Swift Server <-> Chart Repo

Serve Swift api over SSL

To serve Swift api over SSL connections, you provide a server certificate pair via --tls-cert-file and --tls-private-key-file flags. If you use a self-signed certificate pair, pass the CA certificate via --tls-ca-file flag.

  --tls-ca-file string                      File containing CA certificate
  --tls-cert-file string                    File container server TLS certificate
  --tls-private-key-file string             File containing server TLS private key

You can generate certificate pair using tools like onessl, openssl, cfssl. Below are instructions for generating certificate pairs using onessl:

  • Download onessl binary from project’s Github release page:
# Linux amd64:
curl -fsSL -o onessl https://github.com/kubepack/onessl/releases/download/0.3.0/onessl-linux-amd64 \
  && chmod +x onessl \
  && sudo mv onessl /usr/local/bin/

# Linux arm64:
curl -fsSL -o onessl https://github.com/kubepack/onessl/releases/download/0.3.0/onessl-linux-arm64 \
  && chmod +x onessl \
  && sudo mv onessl /usr/local/bin/

# Mac OSX amd64:
curl -fsSL -o onessl https://github.com/kubepack/onessl/releases/download/0.3.0/onessl-darwin-amd64 \
  && chmod +x onessl \
  && sudo mv onessl /usr/local/bin/
  • Now create a ca certificate pair using onessl.
$ mkdir swift
$ cd swift
$ onessl create ca-cert

$ ls -b1
ca.crt
ca.key
  • Now create a server certificate pair using the ca-certificate from previous step. Pass the domain names used to connect to Swift server using --domains flag
$ onessl create server-cert --domains=swift.kube-system.svc
Wrote server certificates in  /home/tamal/Desktop/swift

$ ls -b1
ca.crt
ca.key
server.crt
server.key
  • Now create a secret to upload certificates to a Kubernetes cluster and mount the secret is Swfift deployment.
$ kubectl create secret generic swift-ssl -n kube-system \
  --from-file=./ca.crt \
  --from-file=./server.crt \
  --from-file=./server.key

secret "swift-ssl" created

Using authentication with Chart Repository

Swift can download charts from Chart repository using basic auth, bearer auth and/or client cert auth. InstallRelease and UpdateRelease api support the following input parameters with their respectie api calls:

ParameterDescription
chart_urlRequiredURL to download chart archive.
ca_bundleOptionalPEM encoded CA bundle used to sign server certificate of chart repository.
usernameOptionalUsername for basic authentication to the chart repository.
passwordOptionalPassword for basic authentication to the chart repository.
tokenOptionalBearer token for authentication to the chart repository.
client_certificateOptionalPEM-encoded data passed as a client cert to chart repository.
client_keyOptionalPEM-encoded data passed as a client key to chart repository.
insecure_skip_verifyOptionalSkip certificate verification for chart repository.

Securely connecting to Tiller Server

You can run Swift server in the same pod as the Tiller server and connect over localhost. This will ensure that traffic between Tiller server and Swift proxy is not visible to outside parties.

If you are using SSL with your Tiller Server, you can pass the ca certificate and/or client certificate pair to Swift server to secure connect to Tiller server over TLS.

  --tiller-ca-file string                   File containing CA certificate for Tiller server
  --tiller-client-cert-file string          File container client TLS certificate for Tiller server
  --tiller-client-private-key-file string   File containing client TLS private key for Tiller server
  --tiller-endpoint string                  Endpoint of Tiller server, eg, [scheme://]host:port
  --tiller-insecure-skip-verify             Skip certificate verification for Tiller server

The server certificate used with Tiller should have the following Subject Alternative Names (SANS) to ensure that Swift can connect to it whether running in the same namespace or in different namespaces.

Subject Alternative Name (SANS)Usage
tiller-svcWhen tiller and swift both running in same namespace
tiller-svc.tiller-namespace
tiller-svc.tiller-namespace.svcWhen tiller and swift are running in different namespace

What's on this Page

Search
Improve This Page