TLS Configuration

NRF Client configuration must be updated with certificates enabling transport-layer security (TLS).

Enable TLS or mutual TLS with the following steps:

  1. Add a Kubernetes secret containing the relevant certificates and client key.
  2. Update the application configuration to enable TLS and specify the path to each certificate.
  3. Mount the secret at that path.

You must create the secret before the NRF Client is deployed. Create the secret with the kubectl tool using a command similar to the following:

kubectl create secret generic server-pem-secret -f server_cert.pem -f client_key.pem -f client_cert.pem

The default application property values provide points at which to add this configuration. Obtain the default values file with a command similar to the following:

helm show values matrixx/nrf-client

For an example, see the discussion about example application configuration.

The following configuration excerpt shows TLS configuration added to the default values file:

matrixx-app:
  configMap:
    enabled: true
    files:
      application-config:
        application.yaml: |
          nrf:
            security:
              tls:
                enabled: true
                clientCertificatePath: /opt/mtx/sec/client-cert.pem
                clientKeyPath: /opt/mtx/sec/client-key.pem
                serverCertificatePaths:
                  - /opt/mtx/sec/server-cert.pem

Configuration for mouting the secret is shown in the following excerpt:

matrixx-app:
  deployment:
    volumes:
      certs:
        secret:
          secretName: server-pem-secret   # name of previously created secret
 
    containers:
      nrf-client:
        volumeMounts:
          certs:
            mountPath: /opt/mtx/sec

The following shows a full example:

matrixx-app:
  deployment:
    volumes:
      default-config:
        configMap:
          name: nrf-client-application-config
      certs:
        secret:
          secretName: server-pem-secret
 
    containers:
      nrf-client:
        env:
          VERTX_CONFIG_PATH:
            value: /opt/mtx/conf/application.yaml
        volumeMounts:
          default-config:
            mountPath: /opt/mtx/conf
          certs:
            mountPath: /opt/mtx/sec
 
  configMap:
    enabled: true
    files:
      application-config:
        application.yaml: |
          nrf:
            security:
              tls:
                enabled: true
                clientCertificatePath: /opt/mtx/sec/client-cert.pem
                clientKeyPath: /opt/mtx/sec/client-key.pem
                serverCertificatePaths: 
                  - /opt/mtx/sec/server-cert.pem                  
            clients:
              - host: https://nrf1.matrixx.svc.cluster.local
                retryInterval: 20s
 
            nfServiceQuery:
              enabled: true
              port: 8081
              selectors:
                - label: app
                  value: chf-proxy
            mapping:
              registration:
                nfProfile:
                  heartBeatTimer: 30
                  fqdn: chf-proxy
Note: Insecure communication can be allowed in debugging and testing situations. To allow insecure communications disable TLS by setting nrf.tls.enabled to false.