More details to how use TLS with Docker/Kubernetes

2023-04-21 16:04:34 +02:00 · 2023-04-21 16:04:34 +02:00 · c280cc3a96
commit c280cc3a96
--- a/SSL-support.md
+++ b/SSL-support.md
@ -1,12 +1,8 @@
-S3Proxy can listen on HTTPS by setting the `secure-endpoint` and
-[configuring a keystore](http://wiki.eclipse.org/Jetty/Howto/Configure_SSL#Generating_Keys_and_Certificates_with_JDK_keytool).
-An example:
+S3Proxy has TLS support working both with Docker or without Docker. 

-```
-s3proxy.secure-endpoint=https://127.0.0.1:8080
-s3proxy.keystore-path=keystore.jks
-s3proxy.keystore-password=password
-```
+You first need to [configure a keystore](http://wiki.eclipse.org/Jetty/Howto/Configure_SSL#Generating_Keys_and_Certificates_with_JDK_keytool) holding your certificates and pass it to S3Proxy.
+
+## Create a keystore

 To setup the keystore, do

@ -23,3 +19,93 @@ store. If the application is written in Java, you can do:
 $ keytool -exportcert -keystore keystore.jks -alias aws -rfc > aws.crt
 $ keytool -keystore $JAVA_HOME/jre/lib/security/cacerts -import -alias aws -file aws.crt -trustcacerts
 ```
+
+## TLS without Docker
+
+S3Proxy can listen on HTTPS by setting the `secure-endpoint` An example:
+
+```
+s3proxy.secure-endpoint=https://0.0.0.0:443
+s3proxy.keystore-path=keystore.jks
+s3proxy.keystore-password=password
+```
+
+## TLS with Docker
+
+You need to configure the following environment variables:
+
+* `S3PROXY_SECURE_ENDPOINT` ;
+* `S3PROXY_KEYSTORE_PATH` ;
+* `S3PROXY_KEYSTORE_PASSWORD`.
+
+## TLS with Kubernetes
+
+You need to create or update the secret with your S3Proxy configuration, example:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: s3proxy
+  namespace: default
+stringData:
+  [...]
+  S3PROXY_SECURE_ENDPOINT: "https://0.0.0.0:443"
+  S3PROXY_KEYSTORE_PATH: "tls/keystore.jks"
+  S3PROXY_KEYSTORE_PASSWORD: password
+```
+
+You also need to create a secret that will contain the keystore file:
+
+```bash
+kubectl create -n default secret generic s3proxy-keystore --from-file=keystore.jks -o yaml
+```
+
+Then you will have a deployment like this:
+
+```yaml
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: s3proxy
+  namespace: default
+  labels:
+    app: s3proxy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: s3proxy
+  template:
+    metadata:
+      labels:
+        app: s3proxy
+    spec:
+      containers:
+        - name: s3proxy
+          image: gaul/s3proxy
+          ports:
+            - name: https
+              containerPort: 443
+          envFrom:
+            - secretRef:
+                name: s3proxy
+          resources:
+            requests:
+              cpu: 1
+              memory: "1Gi"
+            limits:
+              memory: "1Gi"
+          volumeMounts:
+          - name: keystore
+            mountPath: /opt/s3proxy/tls
+      volumes:
+        - name: keystore
+          secret:
+            secretName: s3proxy-keystore
+            items:
+              - key: keystore.jks
+                path: keystore.jks
+
+```