spiffe · mrsabath · Aug 3, 2023 · Jul 19, 2023 · Jul 19, 2023 · Aug 3, 2023
@@ -34,7 +34,7 @@ cd tornjak/examples/tls_mtls
 
 For both TLS and mTLS, we will need to deliver a certificate/key pair to the server. In this directory are the respective files `server.crt` and `server.key`. These files have been signed by the self-signed CA in the `CA-server` directory. They will be delivered to the caller when establishing a connection so that the caller may verify the certificate. 
 
-For mTLS, we additionally need to deliver the CA certificate of the caller to the server so that the server may verify the caller certificate. The relevant file can be found in `CA-user/rootCA.crt`
+For mTLS, we additionally need to deliver the CA certificate of the caller to the server so that the server may verify the caller certificate. The relevant file can be found in `CA-client/rootCA.crt`
 
 ### Deliver the certificate/key pair to Tornjak (TLS and mTLS)
 
@@ -109,11 +109,11 @@ tls.key
 
 ### Deliver the CA certificate to Tornjak (mTLS only)
 
-For mTLS we will additionally need to deliver a user CA certificate to the Tornjak container. Currently it is found at `CA-user/rootCA.crt`. The process is the same. First we create the secret:
+For mTLS we will additionally need to deliver a client CA certificate to the Tornjak container. Currently it is found at `CA-client/rootCA.crt`. The process is the same. First we create the secret:
 
 ```
-kubectl create secret generic -n spire tornjak-user-ca \
-  --from-file=CA-user/rootCA.crt
+kubectl create secret generic -n spire tornjak-client-certs \
+  --from-file=CA-client/rootCA.crt
 ```
 
 Then we mount the secret to the Tornjak container via volume mount, as in the previous secret volume mount, retaining the previous modifications: 
@@ -124,32 +124,32 @@ volumeMounts:
 ...
   - name: tls-volume
     mountPath: /opt/spire/server
-  - name: user-cas
-    mountPath: /opt/spire/users
+  - name: client-cas
+    mountPath: /opt/spire/clients
 ...
 volumes:
 ...
   - name: tls-volume
     secret:
       secretName: tornjak-server-tls
-  - name: user-cas
+  - name: client-cas
     secret: 
       secretName: tornjak-user-ca
       items: 
         - key: rootCA.crt
-          path: userCA.crt
+          path: clientCA.crt
 
 ```
 
 Apply the same changes to your deployment, attaching the secret volumeMount to the Tornjak container. For the quickstart, we can simply apply the file in this directory `server-statefulset-mtls.yaml` and view the files in the container:
 
 ```
 kubectl apply -f server-statefulset-mtls.yaml
-kubectl exec -n spire spire-server-0 -c tornjak-backend -- ls users
+kubectl exec -n spire spire-server-0 -c tornjak-backend -- ls clients
 ```
 
 ```
-userCA.crt
+clientCA.crt
 ```
 
 ----
@@ -197,7 +197,7 @@ server {
     port = 10443             # container port for mTLS connection
     cert = "server/tls.crt"  # TLS cert
     key = "server/tls.key"   # TLS key
-    ca = "users/userCA.crt"  # user CA for mTLS [Removing this line creates a TLS connection]
+    ca = "clients/clientCA.crt"  # client CA for mTLS [Removing this line creates a TLS connection]
   }
   ...
 }
@@ -285,7 +285,7 @@ In order to make a TLS call we need only a CA certificate that can validate the
 Additionally, we must have a certificate/key pair locally that was signed by the CA certificate given to the Tornjak server via `tornjak-user-ca` secret when configuring mTLS.  In our case, we can use the certificate/key pair `user.crt` and `user.key`: 
 
 ```
-curl --cacert CA-server/rootCA.crt --key user.key --cert user.crt https://<Tornjak_mTLS_endpoint> 
+curl --cacert CA-server/rootCA.crt --key client.key --cert client.crt https://<Tornjak_mTLS_endpoint> 
 ```
 
 -----

@@ -72,8 +72,8 @@ spec:
               mountPath: /tmp/spire-server/private
             - name: tls-volume              # 👈 TLS SECRET VOLUME MOUNT
               mountPath: /opt/spire/server  # 👈 TLS SECRET VOLUME MOUNT
-            - name: user-cas                # 👈 mTLS CA SECRET VOLUME MOUNT
-              mountPath: /opt/spire/users   # 👈 mTLS CA SECRET VOLUME MOUNT
+            - name: client-ca                 # 👈 mTLS CA SECRET VOLUME MOUNT
+              mountPath: /opt/spire/clients   # 👈 mTLS CA SECRET VOLUME MOUNT
       volumes:
         - name: spire-config
           configMap:
@@ -86,12 +86,12 @@ spec:
         - name: tls-volume                  # 👈 TLS SECRET VOLUME
           secret:                           # 👈 TLS SECRET VOLUME
             secretName: tornjak-server-tls  # 👈 TLS SECRET VOLUME
-        - name: user-cas                    # 👈 mTLS CA SECRET VOLUME
+        - name: client-ca                   # 👈 mTLS CA SECRET VOLUME
           secret:                           # 👈 mTLS CA SECRET VOLUME
-            secretName: tornjak-user-certs  # 👈 mTLS CA SECRET VOLUME
+            secretName: tornjak-client-ca   # 👈 mTLS CA SECRET VOLUME
             items:
               - key: rootCA.crt
-                path: userCA.crt
+                path: clientCA.crt
   volumeClaimTemplates:
     - metadata:
         name: spire-data