I'm just looking for a push in the right direction :) We're running on OpenShift (managed by 'the company', I'm just a dev.) We have namespaces and services, and can do connections between services using 'servicename.namespacename' naming scheme. I don't know how that works exactly but it does :) Security requires those connections to have SSL on them, so we need certificates. We would like to automate getting those, a lot, but so far my Google-fu has come up empty, I only find automation for autward (internet) facing certificates, but not for such internal network names.
Any hints on what to look for, for an approach to this?
Thank you so much! :)
There are multiple ways to implement this, at different levels of the platform or application.
You can do mTLS in your application or application framework. This however requires that you manage certificates yourself and you also configure your applications to only talk over TLS-enabled channels. This needs to be done for every application separately and individually.
Using cert-manager (which is also supported by OpenShift) could help you to implement some sort of automatic certificate renewal and may automate some of the steps necessary above. However this does not solve the issue at every application needs to configure this.
The easiest way to meet the requirement of the security team is typically that your OpenShift administrators enable IPSec encryption on a platform level. This means all traffic between Nodes is encrypted. This way applications do not need to be touched and do not need to worry about encryption.
The (in my eyes) most complicated solution would be to use something like OpenShift Service Mesh which allows mTLS encryption for applications. I say most complicated because it introduces some overhead both performance-wise and also management-wise. Service Mesh is a good solution if you also want to use other features of Service Mesh such as policies or traffic management.