Securing Your WordPress Deployment on OpenShift with SSL/TLS Encryption

In today’s digital age, securing web applications is of utmost importance. One of the fundamental ways to ensure security is through SSL/TLS encryption. Recently, I had the opportunity to dive deep into the concepts of SSL/TLS and their implementation in OpenShift. This blog will cover everything from the basics of SSL/TLS, different encryption designs in OpenShift, to deploying a WordPress application with edge encryption.

Understanding SSL/TLS

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols designed to provide secure communication over a computer network. Here’s a brief overview of how SSL/TLS works:

1. Key Generation: The server generates a public key and a private key.
2. Certificate Signing Request (CSR): The server creates a CSR containing the public key and company details.
3. Certificate Authority (CA) Verification: The CA verifies the CSR and issues a signed certificate (CRT) containing the public key and company details.
4. Client-Server Handshake:

• The client (browser) requests a secure connection.
• The server sends the certificate (CRT) to the client.
• The client verifies the certificate’s authenticity by checking the CA signature.
• If verified, the client uses the public key to encrypt a session key and sends it to the server.
• The server decrypts the session key using its private key.
• A secure, encrypted communication channel is established.

SSL/TLS Encryption Designs in OpenShift

OpenShift supports three primary designs for encryption:

1. Edge Encryption:

• Encryption occurs at the edge (router level) of the network.
• The client communicates securely with the OpenShift router, which then decrypts the data before passing it to the internal application.
• Use Case: Simplifies the setup but data within the cluster is unencrypted.

2. Pass-Through Encryption:

• The encryption/decryption happens between the client and the application.
• The OpenShift router passes the encrypted data directly to the application without decrypting it.
• Use Case: Suitable for end-to-end encryption where the application handles SSL/TLS.

3. Re-Encryption:

• Data is encrypted between the client and the router, then re-encrypted between the router and the application.
• Provides encryption within the cluster as well as between the client and the router.
• Use Case: Ensures data is encrypted throughout the entire path, offering higher security.

Deploying WordPress on OpenShift with Edge Encryption

Let’s walk through the steps to deploy a WordPress application on OpenShift using edge encryption.

1. Deploy MySQL Database:

• Create Yaml Manifest for Mysql Database that includes pvc, secret, service and deployment.
• Don’t forget to convert your database credentials into base64 before putting it into secret.

---
apiVersion: v1
kind: Service
metadata:
  name: mysql-svc
  labels:
    app: wordpress
spec:
  type: ClusterIP
  ports:
    - port: 3306
  selector:
    app: wordpress
    tier: mysql
  clusterIP: None

---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: db-pvc
  labels:
    app: wordpress
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 5Gi

---
apiVersion: v1
kind: Secret
metadata:
  name: mysql-secret
  type: Opaque
data:
  root_password: cmVkaGF0
  password: cmVkaGF0
  user: aGFyc2g=
  database: d3BkYg==

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: wordpress-mysql
  labels:
    app: wordpress
spec:
  selector:
    matchLabels: 
      app: wordpress
  strategy: 
    type: Recreate
  template:
    metadata:
      labels:
        app: wordpress
        tier: mysql
    spec:
      containers:
      - image: mysql:5.6
        name: mysql
        env:
        - name: MYSQL_ROOT_PASSWORD
          valueFrom:
            secretKeyRef:
              name: mysql-secret
              key: root_password
        - name: MYSQL_USER
          valueFrom:
            secretKeyRef:
              name: mysql-secret
              key: user
        - name: MYSQL_DATABASE
          valueFrom:
            secretKeyRef:
              name: mysql-secret
              key: database
        - name: MYSQL_PASSWORD
          valueFrom:
            secretKeyRef:
              name: mysql-secret
              key: password
        ports:
        - containerPort: 3306
          name: mysql
        volumeMounts:
        - name: mysql-storage
          mountPath: /var/lib/mysql
      volumes:
      - name: mysql-storage
        persistentVolumeClaim:
          claimName: db-pvc

• Deploy this manifest file.

oc create -f mysql.yaml

2. Deploy WordPress:

• We will deploy the wordpress (frontend) with new-app command using wordpress official github repository.

oc new-app --name wordpress php~https://github.com/WordPress/WordPress.git

• Expose WordPress Service with Edge Encryption:

oc create route edge wordpress --service=wordpress

Note: For the edge encryption, Openshift will manage everything like generating private key and CA certificate.

3. Verify the Deployment:

Access “https://wordpress-harsh-hg2005-dev.apps.sandbox-m4.g2pi.p1.openshiftapps.com” in your browser and ensure the connection is secure.

Summary

SSL/TLS encryption is a critical component for securing web applications. Understanding the working principles of SSL/TLS helps in making informed decisions about your security architecture. In OpenShift, you can choose between edge encryption, pass-through encryption, and re-encryption based on your security requirements.

By following the above steps, you can deploy a WordPress application on OpenShift with edge encryption, ensuring that your data is secure from the client to the OpenShift router. This approach not only simplifies setup but also ensures a secure communication channel for your users.