Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-7921

Enable to configure a custom certificate store in APIcast when installed via APIcast Operator

XMLWordPrintable

    • False
    • False
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started

      Currently it is only possible to configure openSSLPeerVerificationEnabled (which is a bool) in the APIcast operator CRD to enable upstream certificate validation, however this will use the builtin certificate store by default.

      Configuration of a custom certificate store is normally done via configuration of the SSL_CERT_FILE environment variable (that should point to an embedded CA), but neither the env var, nor the certificate can be set / mounted with the APIcast Operator at the moment.

      The request is to enable the configuration of a custom certificate store in the APIcast Operator CRD for upstream Certificate verification.

      Workarounds:

      1. Configure the Mutual TLS policy to verify the upstream certificates; CA certificates can be provided directly as part of the policy configuration.
      2. Download the build.yml then run all the following commands (replacing the variables with placeholder text with appropriate values)
        oc new-app -f ./build.yml
        
        oc start-build apicast-custom-env
        
        oc get builds
        
        oc logs -f build/{$OUTPUT_OF_PREVIOUS_COMMAND}
        
        Once the build has successfully completed you should see an image pushed to the local registry. **Please make a note of the image URL**
        
        oc patch apicast {$NAME_OF_APICAST_CR} -p '{"spec":{"image":"{$IMAGE_URL_FROM_BUILD_OUTPUT}"}}' --type=merge <<-- The format of {$IMAGE_URL_FROM_BUILD_OUTPUT} should be {REGISTRY_HOSTNAME:PORT@SHA:SHA_ID}
        

              Unassigned Unassigned
              rhn-support-sillumin Samuele Illuminati (Inactive)
              Votes:
              4 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated: