[Story] JMX SSL/TLS certs config and upload #306
Comments
|
Old Cryostat did this in its entrypoint script: https://github.com/cryostatio/cryostat/blob/80683ea1e22c77ecbb52a2f47ca2c132a3ab0b5f/src/main/extras/app/entrypoint.bash#L50 With Quarkus it looks like it's possible via simple configuration options: https://quarkus.io/guides/all-config#quarkus-vertx-http_quarkus-http-ssl-certificate-trust-store-file If that Quarkus configuration does what we need it to, then 1) providing a user guide on how to do that, and 2) implementing an endpoint for uploading certificate files that get programmatically added to that trust store, would be enough. Maybe we should revisit the certificate upload feature however. It always required a server restart to do, which was never possible via the UI, and it also assumes that the user with access to Cryostat is also a user who should be allowed to make deployment-level changes to the Cryostat instance, which is no longer the authorization model we want to follow. |
|
After discussion with the team, we have decided to remove this functionality from the UI and to not reimplement it in 3.0. Instead, any additional SSL/TLS certs will need to be provided to the container at deployment time by mounting volumes to the container filesystem. |
Like in old Cryostat, users must be able to supply SSL/TLS certs that Cryostat should trust. These would be SSL/TLS certs that their applications use to secure their JMX ports. The user must also be able to supply trusted TLS certs that their Cryostat Agent instances will present on their HTTPS APIs. The user should be able to upload these certs through the existing web-client UI, or by mounting them to the filesystem from ex. k8s Secrets.
Related cryostatio/cryostat-agent#138
The text was updated successfully, but these errors were encountered: