New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CE Sprint #16] [CLOUD-2398] Auto-generate the HTTPS, JGroups keystores, and truststore for the RH-SSO server upon request #221
Conversation
@rcernich PTAL |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should add openssl to the packages list in the module.yaml file.
b91c784
to
cbcad4d
Compare
e70bd2d
to
cd97410
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
9814242
to
4a34425
Compare
@rcernich Added |
# Propagate the trustore related variables to subsequent modules | ||
SSO_TRUSTSTORE_PASSWORD="${PASSWORD}" | ||
SSO_TRUSTSTORE_DIR="${KEYSTORES_STORAGE}" | ||
SSO_TRUSTSTORE="${JKS_TRUSTSTORE_FILE}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so the truststore will only contain the openshift certificates, and not any of the default list of trusted CAs, right? (which may be problematic, as it probably will break integration with other services that use https )
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great catch, Marek, thanks! Should we fixed with most recent one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks okay to me.
… for OpenShift's serving x509 certificate secrets service were properly mounted Also auto-generate the truststore for the RH-SSO server if the X509 CA bundle was provided: * Define local readonly X509_CRT_DELIMITER variable rather than definining it in each separate template * Include known certificates from system's Java CA certificate bundle into the auto-generated RH-SSO truststore too Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
[CLOUD-2398] Auto-generate the HTTPS and JGroups keystores if volumes for OpenShift's serving x509 certificate secrets service were properly mounted
Auto-generate the truststore for the RH-SSO server if the X509 CA bundle was provided and truststore doesn't exist yet
Signed-off-by: Jan Lieskovsky
Thanks for submitting your Pull Request!
Please make sure your PR meets following requirements:
[CLOUD-XYA] Subject
CONTRIBUTING.md
)Signed-off-by: Your Name <yourname@redhat.com>
- usegit commit -s