[Feature] Add the possibility to add CA certificates as volumes/config

Question

[Feature] Add the possibility to add CA certificates as volumes/config

fforootd opened this issue a year ago · 7 comments

fforootd commented a year ago

In some scenarios customers want to configure zitadel to send outbound traffic through a proxy server.

We already support defining HTTP_PROXY settings but there is no way mounting a CA file

Acceptance Criteria

Users can mount their CA file (this should mount /etc/ssl/certs/)
HTTPS_PROXY can use the CA file

Answer 1 · 2024-02-27T21:05:39.000Z

@fforootd Is it enough to just mount the directory/file if we do not use the proxy? Can we also set the SSL_CERT_FILE environment variable to tell Zitadel to use it. Same here btw, if I make it work at the bank, a meaty PR awaits 😂

Answer 2 · 2024-02-28T07:46:30.000Z

Self-reply 1 for the docs: Yes, it is enough to just mount them like:

extraVolumeMounts:
  - name: ca-certs
    mountPath: /etc/ssl/certs/ca-certs.crt
    readOnly: true
    
extraVolumes:
  - name: ca-certs
    secret:
      defaultMode: 420
      secretName: ca-certs

Answer 3 · 2024-02-28T21:28:06.000Z

Nice, thanks for sharing, I think this becomes more relevant with each day 😁

Answer 4 · 2024-02-29T07:57:01.000Z

We are deploying at an FSI customer on premise and we need to fumble the chart a bit (user can never be root, fs changes must be made via securityContext etc. Once I have that stuff running I try to PR it if you are not faster.

Answer 5 · 2024-05-08T10:53:31.000Z

~~This feature was just released~~

No, the feature for an inbound cert was released

Answer 6 · 2024-05-08T17:39:56.000Z

ℹ️ Not forgotten still, I track it in our JIRA to bring the code back here 🕐

Answer 7 · 2024-05-08T20:02:31.000Z

ℹ️ Not forgotten still, I track it in our JIRA to bring the code back here 🕐

Thanks for letting us know!