Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow trusted certificates to be specified at runtime by keystore and multiple PEM files #20594

Closed
ChetRHosey opened this issue Oct 7, 2021 · 5 comments · Fixed by #39825
Closed

Allow trusted certificates to be specified at runtime by keystore and multiple PEM files #20594

ChetRHosey opened this issue Oct 7, 2021 · 5 comments · Fixed by #39825
Assignees
@cescoffier
Labels
area/kubernetes kind/enhancement New feature or request
Milestone
3.12.0.CR1

Comments

@ChetRHosey
Copy link

ChetRHosey commented Oct 7, 2021
edited
Loading

Description

According to https://quarkus.io/guides/native-and-ssl#the-truststore-path,

the root certificates are fixed at image build time [...] when the defaults need to be changed, these system properties must be provided at image build time

But trust settings can be environmental. Examples:

  • A corporate proxy may do MITM inspection of HTTPS traffic and re-sign with an organizational CA
  • An organizational CA may be used on-premise
  • An OpenShift cluster can provide service certificate with its own internal CA

Making this a build-time-only option limits the ability of Quarkus apps to connect to services whose certificates are signed by an environment-specific CA.

It would be helpful if operators could provide an environmental trust store at runtime.

Ideally PEM files could be trusted directly to avoid the need to use keytool at runtime. PEM files can come from a number of sources, especially within OpenShift:

A runtime option to load trusted CAs from multiple PEM files would greatly ease Quarkus' use in environments where custom CA settings are a requirement.

Implementation ideas

No response
@ChetRHosey ChetRHosey added the kind/enhancement New feature or request label Oct 7, 2021
@quarkus-bot
Copy link

quarkus-bot bot commented Oct 7, 2021

/cc @geoand, @iocanel

@sberyozkin sberyozkin changed the title llow trusted certificates to be specified at runtime by keystore and multiple PEM files Allow trusted certificates to be specified at runtime by keystore and multiple PEM files Oct 7, 2021
@geoand
Copy link
Contributor

geoand commented Oct 7, 2021

CC @sberyozkin @cescoffier

@cescoffier
Copy link
Member

I'm +100 to have external certs.

We would need to check again, but initially it was the graalvm way.

With most of the I/O using Vert.x we should be able to configure each client/server with the external certs. However we would need to check with extensions using a different model.

@cescoffier cescoffier self-assigned this Nov 19, 2021
@stgrace
Copy link

stgrace commented Jul 19, 2022

Hi @cescoffier,

Do you have an update on this? We would like to be able to add ca-bundles at runtime, since we deploy our applications at multiple cusotmers and they all require communication over HTTPS, so adding ca bundles at build time is not really viable.

@cescoffier
Copy link
Member

No, unfortunately, my work around the new TLS config is on hold (until I have the time to come back to it)

@shawkins shawkins mentioned this issue Oct 25, 2023
Closed
@cescoffier cescoffier mentioned this issue Apr 24, 2024
Merged
@quarkus-bot quarkus-bot bot added this to the 3.12 - main milestone Jun 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cescoffier cescoffier

Labels
area/kubernetes kind/enhancement New feature or request
Projects
None yet
Milestone
3.12.0.CR1
Development

Successfully merging a pull request may close this issue.

Implementation of the internal TLS registry cescoffier/quarkus
4 participants
@cescoffier @geoand @stgrace @ChetRHosey