-
Notifications
You must be signed in to change notification settings - Fork 251
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow TLS key pair to be sourced at runtime from a Kubernetes secret #700
Comments
Id like to see this added as well. In the meantime, just in case it's not clear, PWM will use the default Java truststore for certificate validation in cases where no certificate is configured in the corresponding setting. So the approach to implement this would be to have the docker startup script:
I don't think any changes to PWM Java code are required. |
@jrivard Does this also apply to the |
@klasen Nope, only for certificate trusts. Though we could probably have it try to use a well-known alias name for the private cert and only auto-generate one if it can't find such a cert..... I'll think about it a bit... |
Could we set
|
I don't know. My guess is that if it worked it would probably break other things TLS. PWM doesn't change the default KeyManager as far as I know and just sets tomcat's keystore properties, so I don't know what magic happens inside tomcat. At that point your probably better off just making your own docker image with tomcat and the PWM war and configuring tomcat as desired... For reference this is the PWM code that does the embedded tomcat initialization: |
If intra-cluster communication needs to be encrypted, the pwm must provide https service with a certificate trusted by the ingress controller.
In order to achieve this I'd like to provide the TLS key/cert pair at pod runtime using a Secret of type "kubernetes.io/tls", coming a
tls.crt
andtls.key
files, andca.crt
secret for intermediate and root certificates.Unfortunately, because of the current way certs are configured in pwm, I can't mount this secret to any pod folder and get the pair picked up by the container at runtime.
See https://kubernetes.github.io/ingress-nginx/examples/auth/client-certs/#creating-certificate-secrets
The text was updated successfully, but these errors were encountered: