Add support for multiple/optional trust certificates #41932
Conversation
|
@elisabeteaprcd Please sign the Contributor License Agreement! Click here to manually synchronize the status of this Pull Request. See the FAQ for frequently asked questions. |
spring-projects-issues
added
the
status: waiting-for-triage
philwebb
added
the
for: team-meeting
|
@elisabeteaprcd Thanks for the suggestion. We will take a look at the changes and give some feedback. An alternative to these changes would be a boolean property at the top of the bundle structure such as |
|
Hi @scottfrederick, Im also working with @elisabeteaprcd on this. While the scope of this change is to support optionality for the single item - which is what is currently supported by SB, the end goal is to have it working with multiple items as proposed in #38754 (comment). So, in the scenario of multiple CAs we should be able to define which ones are mandatory for the service to start and which ones are optional, and in this sense your single-property proposal would not work at the spring boot level, however it could be expressed at the k8s deployment level by making the volume mounts mandatory. |
|
@elisabeteaprcd Thank you for signing the Contributor License Agreement! |
elisabeteaprcd
force-pushed
the
main
branch
from
4492041
to
ae68967
Compare
elisabeteaprcd
force-pushed
the
main
branch
from
ae68967
to
fe27aca
Compare
elisabeteaprcd
changed the title
|
hi @scottfrederick , just a heads-up that this has been now updated with support for multiple/optional certificates (initial PR had just support for optional) |
Problem Statement
The challenge is the dynamic updating and management of certificates in an application that supports mTLS and interacts with client services that are frequently added and removed.
Suppose your application needs to support mTLS with two well-known client services,
fooandbar, each having a specific intermediate CA (Certificate Authority). Client services are dynamically installed/removed from the cluster. For improved resiliency/manageability, you do not want to change the deployment of your application whenever a new client service is installed in the cluster: the client CAs must be dynamically added/removed to your server truststore as their services installed/removed from the cluster.Proposed Solution
This PR aims to address this issue by allowing certificates to be marked as optional. With this feature, the application can start and continue running regardless of the availability of these certificates. And allows the addition of multiple certificates as mentioned here.
Current Status
This pull request is currently a draft/proof of concept. It does not yet include tests or documentation and is intended to gather feedback. The implementation includes several TODOs.
An example of an
application.yamlwith multiple/optional certificates would look like:Some use cases:
1.The configuration with the deprecated property continues to work as expected:
TODO: Since the structure for loading certificates is the same for both keystore and truststore, should there be limitations on optionality and multiple certificates in the keystore? Should the
certificateproperty allow optionality?TODO: Consider creating a validation to ensure that
certificateandcertificatescannot be used simultaneously.ca.crtandca_cert) do not exist, they will be treated as empty, as no certificates will be available for loading at that moment. However, since thereload-on-updateproperty is set to true, the parent directory will be monitored. Once changes are detected and the files become available, they will be loaded.isReloadOnUpdateproperty is set totrue, theca.crtcertificate will still be observed.TODO: Or should we keep the exception if one or more items in the list are not observable?
Related Issue
This PR is related to this comment in the issue #38754