Professional Documents
Culture Documents
Service Identity Provider TLS API Documentation
Service Identity Provider TLS API Documentation
Interwork Description
• Introduction
• Migration From Server and Client Certificate API
• Certificate renewal details and examples
◦ Calculating the TTL
◦ Calculating the renewaltime
• Internal Certificate API (new, recommended)
◦ API Description
◦ Custom Resource Definition
• Server and Client Certificate APIs (old, to be deprecated and removed)
◦ Server Certificate API Description (old, soon-to-be-deprecated)
◦ Client Certificate API Description (old, soon-to-be-deprecated)
• Note about Dependencies
• The CRD and SIP-TLS API Versioning
• Version History
◦ Version 1.0.0
◦ Version 0.3.0-alpha
◦ Version 0.2.0-alpha
◦ Version 0.1.0-alpha
• References
1. Introduction
The Service Identity Provider TLS (SIP-TLS) API is used for requesting and distributing
the certificates and keys that are needed for establishing a cluster internal TLS
connection between a Service Provider and a Service Consumer in a namespace.
Service Providers and Service Consumers act as SIP-TLS clients, whereas SIP-TLS
creates the certificate requests towards the CA on behalf of the clients.
The Key Management Service PKI Secret Engine is used for providing the actual
certificates and keys.
The SIP-TLS API information is conveyed by using the Kubernetes resource attributes,
namely Custom Resource Definition (CRD), Custom Resource (CR), Kubernetes Secrets
and volume mounts to the Kubernetes Secrets from Pod templates. SIP-TLS can only
provide certificates within the same namespace.
The Internal Certificate API allows broader use cases that are not tied to the
traditional roles of "server" or "client". It is possible to request a certificate more
precisely according to the use case of the service. Any use case that is possible
by using the Server and Client Certificate API can also be realized by using
the Internal Certificate API. There are also no hard coupling between API users
and API versions, in other words, a service provider can use the Internal
Certificate API, while a service consumer uses the Server and Client
Certificate API (or vice versa). It is therefore strongly advised to take the new API
into use.
2. Migration From Server and Client Certificate
API
Services that have implemented the Server and/or Client Certificate API can
seamlessly convert to the Internal Certificate API since it is backwards compatible.
The transformation can be seen from the below tables. All parameters reside within
the YAML 'spec' object in the relevant Custom Resource template:
generated-secret-name kubernetes.generatedSecretName
common-name certificate.subject.cn
additional-sans certificate.subjectAlternativeName.dns
override-ttl certificate.validity.overrideTtl
issuer-ref certificate.issuer.reference
generated-secret-name kubernetes.generatedSecretName
common-name certificate.subject.cn
Following values must be set to new API CRs in order to the transition to be seamless:
kubernetes.certificateName client-cacertbundle.pem
Note: the default values for some of these parameters may be different than the
default values that were used in Server and Client Certificate API. For example, the
private key format has changed from 'pkcs1' to 'pkcs8'. Therefore, in order to get the
exact same certificate properties, check all the CR parameters carefully.
For renewal calculations SIP-TLS divides the certificate lifetime (TTL) into two
complementer parts, renewaltime and leadtime:
When a certificate is being created by SIP-TLS, the TTL and renewaltime values for the
certificate are calculated. The calculated TTL value will be the lifetime of the
certificate. The calculated renewaltime will be used to start a timer to trigger the next
renewal of the certificate.
The TTL of a certificate will be validLifetimeSeconds if overrideTtl is not set, and will
be overrideTtl if that is set in the CR. (See examples in the next table.)
renewaltime = renewalThresholdRatio *
minimum(validLifetimeSeconds, overrideTtl)
Please note that both the calculated TTL and the overrideLeadtime are absolute
values.
The below table shows some example configurations and their effect on TTL and
renewaltime. (For easier comparison the internalCertificate.renewalThresholdRatio is
the default 0.9 for all examples.)
604800 *
604800 0.9 - - 604800 0.9 =
544320
604800 *
604800 0.9 700000 - 700000 0.9 =
544320
700000 *
800000 0.9 700000 - 700000 0.9 =
630000
604800 -
604800 0.9 - 4800 604800 4800 =
600000
validLifeti renewalTh calculated
overrideTt overrideLe certificate
meSecond resholdRat renewal
l adtime TTL
s io time
4800 - 800
604800 0.9 4800 800 4800
= 4000
The API can be used to enable certificate-based authentication and TLS encryption
between services within the same namespace in the cluster. Among the supported
use cases are server authentication, client authentication, mutual authentication and
peer-to-peer authentication.
Services that require identity by using certificates and private keys shall use the
InternalCertificate Custom Resource (CR).
Services that want to verify certificate identities can use either the common trusted
CA, or an exclusive CA via InternalUserCA CR. The decision between CAs depends on
the specific use case of the service.
Certificates are almost always issued per interface. The type of interface defines the
type of certificate needed. For example, a service provider that exposes an end point
via REST will (probably) need a certificate with SERVER_AUTH extended key usage
flag set for server authentication. Similarly, a service consumer that consumes a REST
end point will (probably) need a certificate with CLIENT_AUTH extended key usage
flag set for client authentication.
In general, there are two levels of certificate validation steps that can be made (that
will be mentioned here):
1. CA chain verification, i.e. checking that the certificate is signed by one of the CAs
in the PKI chain leading up to a trusted CA. Commonly, the trusted CA is a self-
signed CA.
2. Common name (CN), subject alt name (SAN), or custom validation, i.e. checking
that some attribute in the certificate matches some expected value.
For example, when doing server authentication the service consumer can validate
that the hostname that is used in the connection string matches with one of the SANs
in the certificate that the service provider supplies. In this case it would be adequate
that the certificate is signed by a sub-CA of the eric-sec-sip-tls Internal Root CA.
On the other hand, when doing client authentication there is also often the desire to
do some kind of authorization. For example, the service provider wants to restrict one
of its APIs so that only a service consumer that presents a certificate with a certain CN
can access it. In order to uniquely identify that identity, both CA chain verification and
CN validation must be used, together with an exclusive CA. If many service providers
would share a CA for this purpose, then the CNs may overlap and inadvertently give
access to service consumers that it did not originally intend to. Of course, this may
also be the desired outcome, i.e. giving all service consumers in the cluster
(namespace) the same level of permissions to that service provider.
siptls.sec.ericsson.com/v1 InternalCertificate
It is not supported to
change the value of
secretType for an existing
CR. In case the secretType
kubernetes.secretType Optional; string.
is changed, the
corresponding certificate
will not be renewed
anymore and the following
printout will appear in the
log: "<NAME-OF-THE-
CHANGED-SECRET> secret
could not be updated.
Reason: Unprocessable
Entity. Please check the
corresponding certificate
for appropriate
secretType!"
Note: Fully Qualified Domain Names (FQDN) are recommended to be used in the
Custom Resource parameters for domain names. Using short names can cause issues
with the name resolution.
The default time-to-live (TTL) for the certificates is one week (604800 seconds), but it
can be extended by replacing it with the override-ttl attribute value. Extending TTL
should be done with extreme care and only for the most critical certificates. This
should not be used for creating unnecessary long-lived certificates, since using short-
lived certificates for internal communication is an architectural decision. See SIP-TLS
Service User Guide UserGuide for further information on certificate renewal.
• Server Authentication
The following certificates and keys are stored for the server side in the Kubernetes
Secrets by SIP-TLS. The mount names are defined in the Custom Resource declaration
file, but the names of the actual certificates and keys as they appear in the container
file system are as given in the table below.
The trusted CA
eric-sec-sip-tls-trusted- certificate(s). It has the
ca.crt
root-cert same content as
cacertbundle.pem.
A certificate chain
<the-service-defined- containing the server
server-cert-secret- srvcert.pem certificate concatenated
name> with the intermediate CA
certificate
<the-service-defined-
server-cert-secret- srvprivkey.pem The server private key
name>
• Client Authentication
The following certificate and private key are stored for the client side in the
Kubernetes Secrets by SIP-TLS. The mount names are defined in the Custom Resource
declaration file, but the names of the actual certificates and keys as they appear in
the container file system are as given in the table below.
<the-service-defined-
client-cert-secret- clicert.pem The client certificate
name>
<the-service-defined-
client-cert-secret- cliprivkey.pem The client private key
name>
siptls.sec.ericsson.com/v1 InternalUserCA
In the InternalUserCA, 'metadata.name' field is also part of the public API. It serves as
the reference that clients use when choosing the CA which will sign the certificate.
The InternalCertificate parameter 'certificate.issuer.reference' refers to this field.
Note: Fully Qualified Domain Names (FQDN) are recommended to be used in the
Custom Resource parameters for domain names. Using short names can cause issues
with the name resolution.
The following certificate is stored for the InternalUserCA in the Kubernetes Secrets by
SIP-TLS.
<the-service-defined-
client-cacertbundle.pem The client CA certificate
client-ca-secret-name>
The Server Certificate API can be used to enable server authentication and peer to
peer authentication.
Server Certificate API and Client Certificate API can be combined to enable mutual
authentication between the service provider and the service consumer.
In circumstances when the service does not allow configuring both server certificate
and client certificate, mutual authentication can be achieved by using Server
Certificate API and following the use case for peer to peer authentication.
The com.ericsson.sec.tls API (SIP-TLS API) provides means for a service provider to
request creation of a server certificate and a private key. The SIP-TLS stores the
created certificate material to a Kubernetes secret resource for the service provider to
use. For service consumers, the SIP-TLS API provides Kubernetes secret containing a
bundle of trusted root CA certificates.
The service providers define server certificate content in ServerCertificate and access
certificate material through the volume mount in the pod template to the Kubernetes
Secret containing the requested server certificate.
The service consumers gain access to the root CA certificates through the volume
mount in the pod template to the Kubernetes Secret containing them.
The certificates and keys are automatically renewed before they expire according to
the certificate time to live. The service providers and consumers are responsible for
monitoring the mounted volumes in order to be able to detect the certificate
renewals.
The following Custom Resources specification file is used to provide the content of the
certificate and the Kubernetes Secret name for the certificate. The certificate is
configured by the ServerCertificate Custom Resource declaration file.
apiVersion: com.ericsson.sec.tls/v1alpha1
kind: ServerCertificate
metadata:
name: {{ template "example-service-provider.name" . }}
spec:
## Mandatory; string
## The Kubernetes Secret where the server certificate and key are
stored.
## Must be unique.
generated-secret-name: <the-service-defined-server-cert-secret-name>
## Mandatory; string
## The Subject CN within the server certificate.
common-name: <the-service-name>
The names (written with <..>) in the Custom Resource declaration files must be
defined by the service provider.
Service provider receives the TLS server certificate with Subject Common Name and
Subject Alternative Name according to the common-name and additional-sans
fields.
By default the Subject Alternative Name of the certificate will include the following.
DNS:<the-service-name>
DNS:<the-service-name>.<namespace>
DNS:<the-service-name>.<namespace>.svc
DNS:<the-service-name>.<namespace>.svc.cluster
DNS:<the-service-name>.<namespace>.svc.cluster.local
The default time-to-live (TTL) for the certificates is one week (604800 seconds), but it
can be extended by replacing it with the override-ttl attribute value. Extending TTL
should be done with extreme care and only for the most critical certificates. This
should not be used for creating unnecessary long-lived certificates, since using short-
lived certificates for internal communication is an architectural decision. See SIP-TLS
Service User Guide UserGuide for further information on certificate renewal.
The following certificates and keys related to the server certificate feature are stored
in the Kubernetes Secrets by SIP-TLS. The mount names are defined in the Custom
Resource declaration file, but the names of the actual certificates and keys as they
appear in the container file system are as given in the table below.
Secret Name File Name Content Description
The trusted CA
eric-sec-sip-tls-trusted- certificate(s). It has the
ca.crt
root-cert same content as
cacertbundle.pem.
A certificate chain
<the-service-defined- containing the server
server-cert-secret- srvcert.pem certificate concatenated
name> with the intermediate CA
certificate
<the-service-defined-
server-cert-secret- srvprivkey.pem The server private key
name>
Mount points for the secrets are given by the service provider and service consumer
Resource declaration files.
The SIP-TLS API (com.ericsson.sec.tls) is used for requesting and providing Client CA
Certificate for the service provider and client certificates and associated private keys
for the service consumer. The certificate content and the distribution storage volume
in the pod template can be configured in Resource declaration files.
The client certificates and private keys are automatically renewed before expiration.
The service consumers are responsible for monitoring the mounted volumes in order
to be able to detect the certificate renewals.
The Client CA Certificate is a root CA certificate and as such, it has a fixed long
expiration period. The long expiration period helps to avoid a situation where the CA
certificates expire e.g. due to clock skew or system clock resetting to Epoch. This also
helps to avoid scenarios where the Client Certificates and Client CA Certificates expire
simultaneously causing potentially a long break in service.
The SIP-TLS provided Client CA Certificate has a time-to-live period of 100 years.
The following Custom Resources specification files are used to provide the content of
the certificates and the Kubernetes Secret names for the certificates.
apiVersion: com.ericsson.sec.tls/v1alpha1
kind: CertificateAuthority
metadata:
name: {{ template "example-service-provider.name" . }}-ca
spec:
## Mandatory; string
## The Kubernetes Secret where the CA certificate is stored.
## Must be unique.
generated-secret-name: <the-service-defined-client-ca-secret-name>
## Mandatory; string
## CA certificate Issuer/Subject CN. E.g. "<service-name> Internal
Client CA".
common-name: <the-ca-common-name>
The names (written with <..>) in the Custom Resource declaration file must be
defined by the service provider.
The service provider receives the Client Certificate CA with Subject Common Name.
apiVersion: com.ericsson.sec.tls/v1alpha1
kind: ClientCertificate
metadata:
name: {{ template "example-service-consumer.name" . }}-consumer-
certificate
spec:
## Mandatory; string
## The Kubernetes Secret where the client certificate and key are
stored.
## Must be unique.
generated-secret-name: <the-service-defined-client-cert-secret-name>
## Mandatory; string
## The Subject CN within the client certificate
common-name: <the-service-name>
## Mandatory; string
## The identifier for the service provider client CA. Decides from
which CA to request the client certificate.
## This refers to field 'CertificateAuthority.metadata.name' in the
'CertificateAuthority'.
issuer-ref: <ca-certificate-resource-name>
The names (written with <..>) in the Custom Resource declaration file must be
defined by the service consumer.
The default time-to-live (TTL) for the certificates is one week (604800 seconds), but it
can be extended by replacing it with the override-ttl attribute value. Extending TTL
should be done with extreme care and only for the most critical certificates. This
should not be used for creating unnecessary long-lived certificates, since using short-
lived certificates for internal communication is an architectural decision. See SIP-TLS
Service User Guide UserGuide for further information on certificate renewal.
The following certificates and private keys related to the client certificate feature are
stored in the Kubernetes Secrets by SIP-TLS. The mount names are defined in the
Custom Resource declaration file, but the names of the actual certificates and keys as
they appear in the container file system are as given in the table below.
Secret Name File Name Content Description
<the-service-defined-
client-cacertbundle.pem The client CA certificate
client-ca-secret-name>
<the-service-defined-
client-cert-secret- clicert.pem The client certificate
name>
<the-service-defined-
client-cert-secret- cliprivkey.pem The client private key
name>
In case of older version of KMS or DCED not defining the high certificate renewal
frequency with the Internal Certificate API CR attribute
certificate.validity.overrideLeadTime, the set of optional SIP-TLS deployment attributes
.renewalThresholdRatio can be used, see UserGuide.
siptls.sec.ericsson.com/
InternalCertificate 0.3.0-alpha
v1alpha1
siptls.sec.ericsson.com/
InternalUserCA 0.3.0-alpha
v1alpha1
com.ericsson.sec.tls/
ServerCertificate 0.2.0-alpha
v1alpha1
com.ericsson.sec.tls/
CertificateAuthority 0.2.0-alpha
v1alpha1
com.ericsson.sec.tls/
ClientCertificate 0.2.0-alpha
v1alpha1
8. Version History
8.1. Version 1.0.0
• The following CRDs were promoted from v1alpha1 to stable version. The actual
API content remain the same. Stable version shall be used whenever possible.
• internalcertificates.siptls.sec.ericsson.com/v1
• internalusercas.siptls.sec.ericsson.com/v1
• internalcertificates.siptls.sec.ericsson.com/v1alpha1
• internalusercas.siptls.sec.ericsson.com/v1alpha1
Backwards compatible changes which contains the following additions, along with
minor editorial fixes:
Initial version
• servercertificates.com.ericsson.sec.tls/v1alpha1
• clientcertificates.com.ericsson.sec.tls/v1alpha1
• certificateauthorities.com.ericsson.sec.tls/v1alpha1
9. References
Service Identity Provider TLS User Guide doc-no:[1/1553-APR 201 36/2]
Service Identity Provider TLS Application Developers Guide doc-no:[1/198 17-APR 201
36/2]
Kubernetes / Custom Resources doc-no