When you request Ingress, the browser to the proxy is secure. However, if you want to
secure the backend connection, then complete this task.
About this task
The configuration map contains the
server.xml file overrides. These
overrides enable the feature that is required for SSL, configure the
Liberty server or the
Liberty service to use the certificates that are
generated from the fabric.
Procedure
- Create the file, libertyssl.xml, with the following contents:
<?xml version="1.0" encoding="UTF -8"?>
<server>
<featureManager>
<feature>ssl-1.0</feature>
</featureManager>
<keyStore id="defaultKeyStore" location="/etc/wlp/config/keystore/key.jks"
password="${env.MB_KEYSTORE_PASSWORD}" />
<keyStore id="defaultTrustStore" location="/etc/wlp/config/truststore/trust.jks"
password="${env.MB_TRUSTSTORE_PASSWORD}" />
</server>
- Create the config map from the file that you created in the previous step:
kubectl create configmap liberty -ssl --from-file=libertyssl.xml
- Ensure that the Kubernetes secrets exist. Run the following kubectl command, and find the mb -
truststore, mb - truststore, mb - keystore, and
mb - keystore - password Kubernetes secrets in the following
list:
kubectl get secrets
- Run the following kubectl command, and find the configuration map value of
liberty - ssl in the list:
kubectl get configmap
- In your Liberty service
deployment.yaml file, create the following service:
apiVersion: v1
kind: Service
metadata:
name: liberty
labels:
name: liberty
spec:
selector:
name: liberty
ports:
- name: http
protocol: TCP
port: 9080
targetPort: 9080
- name: https
protocol: TCP
port: 9443
targetPort: 9443
type: NodePort
- In your Liberty service
deployment.yaml file, create the following Ingress YAML file:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: liberty
labels:
name: liberty
annotations:
kubernetes.io/ingress.class: "nginx"
ingress.kubernetes.io/affinity: "cookie"
ingress.kubernetes.io/session-cookie-name: "route"
ingress.kubernetes.io/session-cookie-hash: "sha1"
ingress.kubernetes.io/rewrite-target: /
ingress.kubernetes.io/secure-backends: "true"
spec:
rules:
- host:
http:
paths:
- path: / liberty
backend:
serviceName: liberty
servicePort: 9443
- In your Liberty server or Liberty service
deployment.yaml file, create the volumes onto which the secrets and
configuration map will be mounted. Use the following code snippet without modifying it:
volumes:
- name: keystores
secret:
secretName: mb-keystore
- name: truststores
secret:
secretName: mb-truststore
- name: liberty-ssl
configMap:
name: liberty-ssl
items:
- key: libertyssl.xml
path: defaults/libertyssl.xml
- In your Liberty server or Liberty service
deployment.yaml file, mount the created volumes. Use the following code snippet without modifying it:
volumeMounts:
- name: keystores
mountPath: /etc/wlp/config/keystore
readOnly: true
- name: truststores
mountPath: /etc/wlp/config/truststore
readOnly: true
- name: liberty-ssl
mountPath: /config/configDropins
- In your Liberty server or Liberty service
deployment.yaml file, specify the environment variables that reference the
Kubernetes secrets. Use the following code snippet without modifying
it:
env:
- name: MB_KEYSTORE_PASSWORD
valueFrom:
secretKeyRef:
name: mb-keystore-password
key: password
- name: MB_TRUSTSTORE_PASSWORD
valueFrom:
secretKeyRef:
name: mb-truststore-password
key: password
Example
The following example is a sample Liberty deployment file. The sample image uses the
mb-truststore,
mb-truststore-password,
mb-keystore, and
mb-keystore-password Kubernetes secrets; the
MB_KEYSTORE_PASSWORD and
MB_TRUSTSTORE_PASSWORD environment
variables; and the
liberty-ssl configuration
map:
apiVersion: v1
kind: Service
metadata:
name: liberty
labels:
name: liberty
spec:
selector:
name: liberty
ports:
- name: http
protocol: TCP
port: 9080
targetPort: 9080
- name: https
protocol: TCP
port: 9443
targetPort: 9443
type: NodePort
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: liberty
spec:
replicas: 1
template:
metadata:
labels:
name: liberty
spec:
containers:
- name: liberty
image: master.cfc:8500/admin/liberty:latest
ports:
- containerPort: 9080
- containerPort: 9443
readinessProbe:
httpGet:
path: /
port: 9080
env:
- name: MB_KEYSTORE_PASSWORD
valueFrom:
secretKeyRef:
name: mb-keystore-password
key: password
- name: MB_TRUSTSTORE_PASSWORD
valueFrom:
secretKeyRef:
name: mb-truststore-password
key: password
volumeMounts:
- name: keystores
mountPath: /etc/wlp/config/keystore
readOnly: true
- name: truststores
mountPath: /etc/wlp/config/truststore
readOnly: true
- name: liberty-ssl
mountPath: /config/configDropins
readOnly: true
volumes:
- name: keystores
secret:
secretName: mb-keystore
- name: truststores
secret:
secretName: mb-truststore
- name: liberty-ssl
configMap:
name: liberty-ssl
items:
- key: libertyssl.xml
path: defaults/libertyssl.xml
imagePullSecrets:
- name: admin.registrykey
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: liberty
labels:
name: liberty
annotations:
kubernetes.io/ingress.class: "nginx"
ingress.kubernetes.io/affinity: "cookie"
ingress.kubernetes.io/session-cookie-name: "route"
ingress.kubernetes.io/session-cookie-hash: "sha1"
ingress.kubernetes.io/rewrite-target: /
ingress.kubernetes.io/secure-backends: "true"
spec:
rules:
- host:
http:
paths:
- path: /liberty
backend:
serviceName: liberty
servicePort: 9443
What to do next
Run the
kubectl command to deploy the application. Access your
application from the following URL:
https://<yourproxyip>/liberty