Certificates for single container sidecar deployments
You can use Cyral's default sidecar-created certificate or use a custom certificate to secure the communications performed by the sidecar. In this page, we provide instructions on how to use a custom certificate.
Use your own certificate
You can use a certificate signed by you or the Certificate Authority of your choice. Provide the certificate contents to the container using the following environment variables:
CYRAL_SIDECAR_TLS_CERT= # x509 TLS certificate
CYRAL_SIDECAR_TLS_PRIVATE_KEY= # private key corresponding to TLS cert
CYRAL_SIDECAR_CA_CERT= # x509 CA certificate
CYRAL_SIDECAR_CA_PRIVATE_KEY= # private key corresponding to CA cert
note
The contents of these environment variables must be encoded in base64.
If, for example, your TLS certificate has the following contents in the
tls-cert.pem
file:
-----BEGIN CERTIFICATE-----
aGVsbG8gd29ybGQK
-----END CERTIFICATE-----
And something similar for the private key, stored in tls-key.pem
:
-----BEGIN RSA PRIVATE KEY-----
aGVsbG8gd29ybGQK
-----END RSA PRIVATE KEY-----
You could use the following commands to set your environment variables.
CYRAL_SIDECAR_TLS_CERT=$(cat 'tls-cert.pem' | base64 -w 0)
CYRAL_SIDECAR_TLS_PRIVATE_KEY=$(cat 'tls-key.pem' | base64 -w 0)
Note that the environment variables must be injected into the docker container. How to inject will depend on how you are deploying the container. For deployment types maintained by Cyral, see Deployment-specific intructions.