February 06, 2023

Automatic TLS with Tanzu Application Platform

Introduction

Application security, especially today, is always top-of-mind. Part of the gamut of processes, tools and practices that go into making an application secure is securing the transport layer - how the application talks to clients, other parts of the application and backend systems.

It has generally been the case that when securing the transport layer that TLS would be used with whatever protocol you are using for communication - say HTTP for REST-style applications, or indeed, just any app exposing a web-page as a frontend or API.

It has also generally been the case that when enabling TLS on HTTP endpoints for internal applications that self-signed certificates are used, mainly because it is easier, quicker (and previously, cheaper) to have an internal Certificate Authority (CA) issue them for your application and manually attach them to the service.

However, it doesn’t have to be the case that this is all manual, nor that you even need to run an internal CA in order to issue certs!

Configuring TAP for Auto-TLS

With TAP 1.4 automatic issuance and provisioning of certificates is now built-in using the upstream cert-manager project, it’s now possible to have any of the supported backends issue certificates on your behalf, in this example, let’s take a look at Let’s Encrypt - a public service providing valid, publicly signed certificates.

The only thing needed from the Operator’s side is to create a ClusterIssuer object in Kubernetes that specifies the upstream service to use for certificate issuance as well as the email address in your org responsible for certs, in the below example we are using Let’s Encrypt to get publicly signed certs for our services:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
 name: letsencrypt-live
spec:
 acme:
   email: certs@yourdomain.com
   server: https://acme-v02.api.letsencrypt.org/directory
   preferredChain: "ISRG Root X1"
   privateKeySecretRef:
     name: issuer-account-key
   solvers:
     - http01:
         ingress:
           class: contour

Note: If you are not exposing your TAP instance to the internet - then obviously you can’t use the http01 solver for domain ownership verification, instead - have a look into dns01 which works with many of the more “modern” DNS providers, like Cloudflare.

Aside from the possible change to dns01 if you aren’t publicly exposing your application endpoints, you’ll have to update the email address and it will be ready to go!

Then in your TAP values.yaml file that you use for install, add a key to the shared section that points to this ClusterIssuer object:

shared:
  ingress_issuer: letsencrypt-live

At this point we are ready to update our TAP configuration, so roll out the change using tanzu CLI:

tanzu package installed update tap -p tap.tanzu.vmware.com -v 1.4.0 --values-file values.yml -n tap-install

Issuing Certs with TAP

Now that TAP knows how to request and configure certs on any ingresses - the effects you will see are twofold, firstly, the TAP core components are all now using Let’s Encrypt issued certificates so visiting your TAP Portal you’ll find it to now be using those trusted certs.

TAP Portal using valid public signed certificates

Additionally, any workloads you deploy through the platform will also be issued their own certs, below is an application we have deployed to TAP and ran through the Supply Chain.

Frontend app using LetsEncrypt signed certificates

More Information

For more information on what’s new in Tanzu Application Platform 1.4 check out the release blog, for technical getting started and install information check out the documentation or for a higher level overview, check out out the TAP product page.

To ask questions, reach out to @mylesagray on Twitter.

Filter Tags

Tanzu Tanzu Application Platform Document Operational Tutorial Intermediate Manage Kubernetes and Containers

Myles Gray

Read More from the Author