Install AnyCAGateway REST in Containers Under Kubernetes

When the AnyCAGateway REST is installed in a containerized implementation, it runs in two containers (one short-lived) under Kubernetes and is managed with a Helm chart.

The artifactory for AnyCAGateway REST images can be found in the following JFrog repository:

repo.keyfactor.com/charts/command/anygateway-rest
Note:  For artifactory credentials or more information, check with your Keyfactor Client Success Manager or contact support@keyfactor.com.
Important:  Keyfactor highly recommends that you use strong passwords for any accounts or certificates related to Keyfactor Command and associated products, especially when these have elevated or administrative access. A strong password has at least 12 characters (more is better) and multiple character classes (lowercase letters, uppercase letters, numeral, and symbols). Ideally, each password would be randomly generated. Avoid password re-use.
Setup Kubernetes Resources

The following steps copy necessary files and create Kubernetes secrets to prepare for the AnyCAGateway REST install.

  1. On your Kubernetes server, create a directory from which you will run the install. For example:

    sudo mkdir /opt/kyf_gateway

  2. If desired, create a namespace for AnyCAGateway REST resources and containers in Kubernetes. For example:

    sudo kubectl create namespace keyfactor-gateway

  3. Create a configmap in Kubernetes containing CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. root and issuing certificates for all CAs that will be accessed through this instance of the AnyCAGateway REST and placed in the root trust store of the Kubernetes server (see Third-Party CA Certificate(s)).

    Once the host’s trust store is updated with all the certificates you will need, create the configmap. For example:

    sudo kubectl create configmap ca-roots --namespace keyfactor-gateway --from-file=/etc/ssl/certs/ca-certificates.crt
    Note:  The standard path to the trusted root store will vary depending on your Linux implementation.

  4. Create a secret in Kubernetes for the credentials you will use to authenticate to the Keyfactor artifactory. For example:

    sudo kubectl create secret docker-registry image-creds --namespace keyfactor-gateway --docker-server=repo.keyfactor.com --docker-username=YourRepoUsername --docker-password=YouSuperSecretRepoAPIKeyorToken --docker-email=my.email@my-domain.com
    Note:  For artifactory credentials or more information, check with your Keyfactor Client Success Manager or contact support@keyfactor.com.

  5. Create a secret in Kubernetes for the service account in SQL that will be used for ongoing connectivity between the gateway and SQL. For example:

    sudo kubectl create secret generic service-password --namespace keyfactor-gateway --from-literal=service-password=SQL_Service_Account_Password

    The username for this account is specified in the values-local.yaml file. The account will be created in SQL, if it does not already exist, and granted the gateway_service role.

  6. Create secrets in Kubernetes to allow the AnyCAGateway REST to authenticate to your OAuth provider (see Preparing). For example:

    sudo kubectl create secret generic idp-secrets --namespace keyfactor-gateway --from-literal=client-secret=Your_AnyGateway_Client_Secret --from-literal=client-id=Your_AnyGateway_Client_Id

  7. Create secrets in Kubernetes for the connection string used to access your SQL server. For example:

    sudo kubectl create secret generic connection-strings -n keyfactor-gateway --from-literal=connection-key="Data Source=<SQL_MACHINE_FQDN>;Initial Catalog=<SQL_DB_NAME>;Integrated Security=False;Persist Security Info=True;User ID=<USERNAME>;Password=<PASSWORD>;"
    Note:  If you prefer, you may specify the SQL server name, database name, username, and password in the values file directly instead, but Keyfactor recommends using a secret for best security practice.

  8. Prepare and create secrets in Kubernetes for the TLSClosed TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. certificate that will secure communications to the AnyCAGateway REST server. For example:

    1. Acquire the TLS certificate using the Fully Qualified Domain Name (FQDN) of the server or alias used for the Kubernetes cluster where your AnyCAGateway REST implementation will be installed. This is the name that you will use to access AnyCAGateway REST via a browser for management purposes.

    2. Copy the certificate together with its private keyClosed Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. to your working directory on the Kubernetes server.

    3. Depending on the method you used to acquire your certificate, you may need to manipulate it on the Kubernetes server to get it into the correct format. You need separate PEMClosed A PEM format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PEM certificates always begin and end with entries like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. PEM certificates can contain a single certificate or a full certifiate chain and may contain a private key. In general, extensions of .cer and .crt are certificate files with no private key, .key is a separate private key file, and .pem is both a certificate and private key.-encoded unencrypted private key and certificate files. If your certificate is a PKCS#12Closed A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. file, you can use OpenSSL commands similar to the following to extract the certificate and key:

      Extract just the certificate, not any chain certificates or the key:

      sudo openssl pkcs12 -in /opt/kyf_gateway/gateway_cert.pfx -clcerts -nokeys -out /opt/kyf_gateway/gateway_cert.crt

      Extract just the key:

      sudo openssl pkcs12 -in /opt/kyf_gateway/gateway_cert.pfx -nocerts -out /opt/kyf_gateway/gateway_cert_key.pem

      Decrypt the key:

      sudo openssl rsa -in /opt/kyf_gateway/gateway_cert_key.pem -out /opt/kyf_gateway/gateway_cert_key-plain.pem
      Important:  The decrypted key file should be handled carefully and stored securely. Once the secret is created (next step), the decrypted key file should be removed.

    4. Create the secrets for the certificate. For example:

      kubectl create secret tls ingress-tls --namespace keyfactor-gateway --cert /opt/kyf_gateway/gateway_cert.crt --key /opt/kyf_gateway/gateway_cert_key-plain.pem
Helm Chart Customization

AnyCAGateway REST ships with a helm chart that contains most of the configuration needed to get up and running, but a few additional pieces of information are needed. These are provided via a separate values file that feeds into the helm chart so that the actual helm chart does not need to be edited. See the below values file. Some fields in this file are required, and others are optional.

Create an input file to the helm chart similar to the following, using the inputs as per Table 957: AnyCAGateway REST Containerized Installation Values File Settings. Use a text editor to update the file, based on the below sample. For example:

nano /opt/kyf_gateway/values-local.yaml

The fields highlighted in red below indicate fields that need to be edited or that you may wish to edit. The fields highlighted in green indicate data provided with secrets or config maps created in the previous section. Fields and values in the authentication section will vary depending on your identity provider (see Values File Settings for Containers Under Kubernetes).

Important:  When editing the file, be sure to preserve the indenting exactly as shown. YAML requires a very specific file layout to function. If the indenting (multiples of two spaces) or layout is incorrect, you will receive an error when trying to install.
# You can choose to supply connection info as plaintext or from an existing secret. Uncomment the appropriate section.
connectionStrings:
  existingSecretName: connection-strings
  existingSecretKey: connection-key
  #hostname: "SQL HOSTNAME"
  #database: "DATABASE NAME"
  #username: "USERNAME"
  #password: "PASSWORD"

ingress:
  enabled: true
  hostname: "GATEWAY HOSTNAME"
  tlsSecretName: ingress-tls
  className: nginx

authentication:
  overwrite: false
  superAdmin:
    description: 'INITIAL_ADMIN_USER_DESCRIPTION'
    value: 'INITIAL_ADMIN_USER_SUB_CLAIM_VALUE'
    provider: 'IDP_AUTH_SCHEME'
    type: OAuth_sub
  cookieExpirationMinutes: 5
  sessionExpirationMinutes: 60
  defaultIdentityProviderAuthScheme:
  oauth:
    authenticationScheme: 'IDP_AUTH_SCHEME'
    displayName: 'IDP_DISPLAYNAME'
    providerType: 'Generic'
    parameters:
      secretName: idp-secrets
      clientIdSecretKey: client-id
      clientSecretSecretKey: client-secret
      nameClaimType: 'preferred_username'
      timeout: 60
      authority: https://IDP_HOSTNAME/realms/Keyfactor
      oidcAudience: 'RESTGateway'
      disableBearerTokenScopeRequirement: false
      tokenEndpoint: https://IDP_HOSTNAME/realms/Keyfactor/protocol/openid-connect/token
      authorizationEndpoint: https://IDP_HOSTNAME/realms/Keyfactor/protocol/openid-connect/auth
      userInfoEndpoint: https://IDP_HOSTNAME/realms/Keyfactor/protocol/openid-connect/userinfo
      jsonWebKeySetUri: https://IDP_HOSTNAME/realms/Keyfactor/protocol/openid-connect/certs

workloadDefaults:
  logLevel: INFO
  image:
  pullSecrets:
  - name: image-creds

portal:
  image:
    name: anygateway-rest
  checkClientCertCRL: true

dbmanagement:
  image:
    name: anygateway-dbmanagement
  serviceUsername: 'SQL_SERVICE_ACCOUNT_USER_NAME'
  servicePasswordSecretName: service-password
  servicePasswordSecretKey: service-password

volumes:
  - name: root-cas
    configMap:
      name: ca-roots
      items:
        - key: ca-certificates.crt
          path: ca-certificates.crt

volumeMounts:
  - name: root-cas
    mountPath: /etc/ssl/certs/ca-certificates.crt
    subPath: ca-certificates.crt
Install

To install AnyCAGateway REST in containers under Kubernetes with a Helm chart:

  1. Set the permissions on the values file such that the file is owned by root and readable only by root (this assumes your Kubernetes implementation is running as root, which is typical). For example:

    sudo chown root:root /opt/kyf_gateway/values-local.yaml
    sudo chmod 400 /opt/kyf_gateway/values-local.yaml
    Tip:  If you need to make edits to the values file, you will need to make the file writable again. For example:
    sudo chmod 600 /opt/kyf_gateway/values-local.yaml

  2. Login to the JFrog repository so that you may retrieve the helm chart. For example:

    sudo helm registry login repo.keyfactor.com --password YouSuperSecretRepoAPIKeyorToken --username YourRepoUsername

    Confirm that login completes successfully.

  3. Run the install, giving the deployment a name and referencing your customized values file. For example:

    sudo helm install Helm_Deployment_Name --namespace keyfactor-gateway --values values-local.yaml oci://repo.keyfactor.com/charts/command/anygateway-rest --version 1.0.1
Tip:   To review logs generated from the container, identify the pod name with this command:
sudo kubectl get pods-A | grep gateway

Identify the container you’re interested in. For example, the database deployment process is handled by the container named anygateway-rest-dbmanagement, where the instance value is randomly generated:

Helm_Deployment_Name-anygateway-rest-dbmanagement-instance

For example:

restgateway1-anygateway-rest-dbmanagement-ld6xp

This is a short-lived container that shuts down once the database management tasks are complete. Then the main portal container starts. This container is named anygateway-rest-portal with instance name and deployment name:

Helm_Deployment_Name-anygateway-rest-portal-instance

For example:

restgateway1-anygateway-rest-portal-bbdc75b97-6c656

Then use the following command to output the current log:

sudo kubectl logs --namespace keyfactor-gateway restgateway1-anygateway-rest-portal-bbdc75b97-6c656 --follow

The optional follow parameterClosed A parameter or argument is a value that is passed into a function in an application. will continuously output the logs as they are generated until interrupted.

If no log output is being generated, this may indicate a failure is occurring earlier in the process during container creation. If that’s the case, the following command to output details for the container may be helpful. Again, the commend references the name of the container. For example:

sudo kubectl describe --namespace pods/keyfactor-gateway restgateway1-anygateway-rest-portal-bbdc75b97-6c656 --follow

If you need to delete the install and try again, use this command:

sudo helm uninstall Helm_Deployment_Name --namespace keyfactor-gateway