mirror
/
s3proxy
kopia lustrzana https://github.com/gaul/s3proxy
1
0
Forkuj 0
Kod Zgłoszenia Packages Projekty Wydania Wiki Aktywność

More details to how use TLS with Docker/Kubernetes

master
Yann Defretin 2023-04-21 16:04:34 +02:00
rodzic d4c6b46f95
commit c280cc3a96
1 zmienionych plików z 94 dodań i 8 usunięć
Pokaż statystyki Ściągnij plik aktualizacji Ściągnij plik porównania Expand all files Collapse all files

102
SSL-support.md

@ -1,12 +1,8 @@
S3Proxy can listen on HTTPS by setting the `secure-endpoint` and S3Proxy has TLS support working both with Docker or without Docker.
[configuring a keystore](http://wiki.eclipse.org/Jetty/Howto/Configure_SSL#Generating_Keys_and_Certificates_with_JDK_keytool).
An example:
``` You first need to [configure a keystore](http://wiki.eclipse.org/Jetty/Howto/Configure_SSL#Generating_Keys_and_Certificates_with_JDK_keytool) holding your certificates and pass it to S3Proxy.
s3proxy.secure-endpoint=https://127.0.0.1:8080
s3proxy.keystore-path=keystore.jks ## Create a keystore
s3proxy.keystore-password=password
```
To setup the keystore, do To setup the keystore, do
@ -22,4 +18,94 @@ store. If the application is written in Java, you can do:
``` ```
$ keytool -exportcert -keystore keystore.jks -alias aws -rfc > aws.crt $ keytool -exportcert -keystore keystore.jks -alias aws -rfc > aws.crt
$ keytool -keystore $JAVA_HOME/jre/lib/security/cacerts -import -alias aws -file aws.crt -trustcacerts $ keytool -keystore $JAVA_HOME/jre/lib/security/cacerts -import -alias aws -file aws.crt -trustcacerts
```
## TLS without Docker
S3Proxy can listen on HTTPS by setting the `secure-endpoint` An example:
```
s3proxy.secure-endpoint=https://0.0.0.0:443
s3proxy.keystore-path=keystore.jks
s3proxy.keystore-password=password
```
## TLS with Docker
You need to configure the following environment variables:
* `S3PROXY_SECURE_ENDPOINT` ;
* `S3PROXY_KEYSTORE_PATH` ;
* `S3PROXY_KEYSTORE_PASSWORD`.
## TLS with Kubernetes
You need to create or update the secret with your S3Proxy configuration, example:
```yaml
apiVersion: v1
kind: Secret
metadata:
name: s3proxy
namespace: default
stringData:
[...]
S3PROXY_SECURE_ENDPOINT: "https://0.0.0.0:443"
S3PROXY_KEYSTORE_PATH: "tls/keystore.jks"
S3PROXY_KEYSTORE_PASSWORD: password
```
You also need to create a secret that will contain the keystore file:
```bash
kubectl create -n default secret generic s3proxy-keystore --from-file=keystore.jks -o yaml
```
Then you will have a deployment like this:
```yaml
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: s3proxy
namespace: default
labels:
app: s3proxy
spec:
replicas: 1
selector:
matchLabels:
app: s3proxy
template:
metadata:
labels:
app: s3proxy
spec:
containers:
- name: s3proxy
image: gaul/s3proxy
ports:
- name: https
containerPort: 443
envFrom:
- secretRef:
name: s3proxy
resources:
requests:
cpu: 1
memory: "1Gi"
limits:
memory: "1Gi"
volumeMounts:
- name: keystore
mountPath: /opt/s3proxy/tls
volumes:
- name: keystore
secret:
secretName: s3proxy-keystore
items:
- key: keystore.jks
path: keystore.jks
``` ```