Layer7 API Management

  • Private Community
 View Only

 Trust store in Operator

Alexander van den Brink's profile image
Alexander van den Brink posted Jul 17, 2024 04:25 AM

Hi,

As I currently understand how the operator works, to populate your truststore you would need to use graphman bundles. I haven't found anything in the documentation where you could use a secret or configmap to populate the truststore. The only thing I've found is how to import keys using kubernetes tls secrets. Is there something I've overlooked? Or is this only possible using graphman bundles?

Kind regards,

Alexander

Gary Vermeulen's profile image
Broadcom Employee Gary Vermeulen posted Jul 17, 2024 06:36 PM

Hi Alexander,

There is not currently a way to import certificates to the Gateway truststore without a Graphman bundle.

Is this something that you would find useful?

Kind regards,

Gary Vermeulen

Alexander van den Brink's profile image
Alexander van den Brink posted Jul 24, 2024 02:38 AM

Hi Gary, I don't know how to respond to your answer, so I'll just do it as an answer to my own original post, but it would be preferable yes, that way we can use something like cert-manager. Having it be something that can automatically be rotated would work best for our use case.

Gary Vermeulen's profile image
Broadcom Employee Gary Vermeulen posted Jul 24, 2024 06:44 PM

Could you clarify the use case - Is this for 

  • adding a private key and automatically trusting the cert
    • we could expand externalKeys to include a flag that allows you to update the truststore.
  • importing certs for other services
    • this would be something new (externalCerts)
  • or something else?
Alexander van den Brink's profile image
Alexander van den Brink posted Jul 26, 2024 03:11 AM

Hi Gary,

I think both the externalkey extension and externalcert would be a welcome addition, but right now externalcert would bring the most value for us.