Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

CTE for Kubernetes Administration

Using external certificates with CTE for Kubernetes

search

Using external certificates with CTE for Kubernetes

You can use External Certificates for communication between CTE for Kubernetes and CipherTrust Manager.

note

Note

Install the external certificate before registering CTE for Kubernetes with CipherTrust Manager.

copy link to clipboardOverview

CipherTrust Transparent Encryption can now use an external certificate, available at a user-defined path, to communicate with CipherTrust Manager.

copy link to clipboardPrerequisites

The external certificate must be:

  • On the file system

  • In PEM format

A key pair must already exist for the client:

  • Must have Encryption type of either:

    • sha256WithRSAEncryption

    • ecdsa-with-SHA384

  • Must be Encrypted with a pass phrase

copy link to clipboardInitial setup

  1. Obtain your external CA certificate.

  2. Create a certificate using the external CA certificate and key.

copy link to clipboardCipherTrust Manager Setup

To setup CipherTrust Manager to communicate through an external certificate:

  1. Import the CA certificate into the CipherTrust Manager, click CA > External > Add External CA.

    note

    Note

    In the Add External CA dialog, copy and paste the <ca_certificate_name>.pem file content from the UI page and provide a user-friendly name.

    For more information, see Using an Externally Generated Server Certificate for an Interface

  2. Add the CA certificate to the list of trusted sources for the web interface, click Admin Settings > Interfaces > web > Edit > External Trusted CAs.

  3. Restart the web server, click Admin Settings > Services > web > Restart.

  4. Create a registration token for the CTE agent. See Creating a Registration Token for more information.

copy link to clipboardCTE for Kubernetes Setup for Client Registration

  1. Add the Registration token to the configuration file cte-csi-regtoken.yaml with the registration_token parameter.

    apiVersion: v1
kind: Secret
metadata:
    name: cm-reg-token
type: Opaque
data:
 # This is a base64 encoded registration token.  To generate:
 # echo -n <CM REGISTRATION TOKEN STRING> | base64 -w 0
    `cm-reg-token`: <registration token in base64 format>

  2. Create a Kubernetes secret(s) with client certificate details:

    kubectl create secret generic <client-secret-name> --from-file=<clientName>.crt=client_cert.pem --from-file=<clientName>.key=client_key.pem --from-file=<clientName>.passphrase=<passphrase>

    where:
    * <client-secret-name> = unique name for secret
    * <clientName> = unique name for client
    * <passphrase> = passphrase for client

    Example

    kubectl create secret generic <client-secret-name> --from-file=client1.crt=client_cert.pem --from-file=client1.key=client_key.pem --from-file=client1.passphrase=passphrase

    You can also use files from a specific path as a Partial or Absolute path:

    kubectl create secret generic <client-secret-name> --from-file=<clientName>.crt=./client1/client_cert.pem --from-file=client1.key=./client1/client_key.pem --from-file=client1.passphrase=./client1/passphrase

    To create multiple client certificate details (certificate, key and passphrase) with the secret:

    kubectl create secret generic <client-secret-name> --from-file=<client1Name>.crt=<client1_cert.pem> --from-file=<client1Name>.key=<client1_key.pem> --from-file=<client1Name>.passphrase=<client1-passphrase>  --from-file=<client2Name>.crt=<client2_cert.pem> --from-file=<client2Name>.key=<client2_key.pem> --from-file=<client2Name>.passphrase=<client2-passphrase>

    where:
    * <client-secret-name> = unique name for secret
    * <clientName> = unique name for client
    * <passphrase> = passphrase for client

    Example

    kubectl create secret generic client1-client2-secret --from-file=client1.crt=client1_cert.pem --from-file=client1.key=client1_key.pem --from-file=client1.passphrase=client1-passphrase  --from-file=client2.crt=client2_cert.pem --from-file=client2.key=client2_key.pem --from-file=client2.passphrase=client2-passphrase

    If certificates are on different paths, provide the filename with the path (Partial or Absolute path)

    kubectl create secret generic client1-client2-secret --from-file=client1.crt=./client1/client_cert.pem --from-file=client1.key=./client1/client_key.pem --from-file=client1.passphrase=./client1/passphrase --from-file=client2.crt=./client2/client_cert.pem --from-file=client2.key=./client2/client_key.pem --from-file=client2.passphrase=./client2/passphrase
    note

    Note

    There must be an additional client certificate detail added to the secret parameter external_ca_client_secret: <client-secret-name>. This additional detail is required for each storage class deployment. This is because there is an additional requirement for Signer Registration for each storage class. This Signer Registration is an additional default registration).

  3. Create the storage-class yaml file with a client secret name:

    While creating the storage-class configuration file cte-storageclass.yaml add the following parameter:

    external_ca_client_secret: <client-secret-name>

    Also make sure that the registration token secret name from the cte-csi-regtoken.yaml is correct and contains the following parameter:

    registration_token_secret: cm-reg-token

    cte-storageclass.yaml

    apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
    name: csi-test-sc
provisioner: csi.cte.cpl.thalesgroup.com
reclaimPolicy: Delete
volumeBindingMode: Immediate
allowVolumeExpansion: true
parameters:

# Domain name or IP address of the CipherTrust Manager (Required)

    key_manager_addr: 192.168.70.1

# Name of the CipherTrust Manager K8s Storage Group. (Required)

    k8_storage_group: test-group

# Kubernetes Secret with CipherTrust Manager registration token (Required)

    registration_token_secret: cm-reg-Token

# Kubernetes secret with External CA signed client certificate (Optional)

    external_ca_client_secret: <client-secret-name>

# Description will be displayed in ${cm} (Optional)

    client_description: "K8s client"

# Time in minutes to wait before unregistering from the ${cm}. Default is 10 minutes.
# Once all volumes have been unguarded. Parameter must be added as a string integer value. (Optional)

    registration_period: "10"
note

Note

Each storage-class will have its own client secret with a client certificate, key and passphrase details.

note

Note

If one storage-class is being used over multiple worker nodes, then the client secret will have multiple client details (certificate, key and passphrase)

On this page