[Task] Add option for users to import whole truststore instead of certs
Closed this issue · 4 comments
^ maybe the Agent should have some other config property to allow it to import a whole truststore as well? Like `cryostat.agent.webclient.tls.truststore.path=/path/to/init/truststore`, `cryostat.agent.webclient.tls.truststore.pass=changeit`. I think this could be used in conjunction with the new configs from https://github.com/cryostatio/cryostat-agent/pull/448 - if these properties aren't specified then it does the same thing as https://github.com/cryostatio/cryostat-agent/pull/448, but if they are specified then probably just [this bit of code](https://github.com/cryostatio/cryostat-agent/blob/938e8f1032415606f5a65cfae20fb377d1cd0b89/src/main/java/io/cryostat/agent/MainModule.java#L180) needs to be adjusted to start with the provided truststore?
Originally posted by @andrewazores in cryostatio/cryostat-operator#928 (comment)
Related to #139
Sort of on this topic, I tried to use the new cert list config in the environment variable form on OpenShift, and the Deployment was rejected by Kubernetes' environment variable validation because of the [0] characters. Maybe we need to come up with some other syntax that can be transformed into an acceptable character set.
you can add it in as a a jvm system property with JAVA_OPTS_APPEND I think- does that work? We can just tweak the README to inform readers of this change
That's what I had to do in the Operator PR. We can't assume that the JAVA_OPTS_APPEND mechanism is available for all end users' applications, though there is likely to be at least some equivalent. It would still be nicest to have a format for this property so that it can be specified as either environment variable or system property, since all the others can be specified either way as well.
Maybe the current syntax is OK, and just the way it's specified in the smoketest YAML or Operator sample YAML should be adjusted to suit this.