search

ForgeRock / ds-operator

ForgeRock Directory Service Operator
Other
8 stars 12 forks source link

SSL Support using Certificates from cert-manager #26

Closed pearj closed 2 years ago

pearj commented 3 years ago

I noticed in https://github.com/ForgeRock/ds-operator/blame/master/DEVELOPMENT.md#L80 that SSL Certificate Management is something that is not implemented yet.

I think it'd be a good idea to use https://github.com/jetstack/cert-manager, I've used it on internal projects for this purpose. I had a small sidecar container that watched the Certificate secret for changes. And then when it changed it would regenerate the certificate and then reload the LDAPS handler by disabling it and reenabling it. If there was a way to reload the SSL cert in DS without a minor outage of LDAPS that would be even better.

I also had a script that was an init container that generated the correct SSL certificate format from the Certificate secret that DS needs.

Happy to share those scripts if they're useful. But they're in Python though.

wstrange commented 3 years ago

We definitely want to improve cert handling! We are waiting on an ehancement coming in DS that will enable the use of vanilla PEM files (vs. Java Keystore - which has a very specific format). This will give us more flexibility for cert management.

pearj commented 3 years ago

Does #36 fix this?

wstrange commented 3 years ago

Hi Joel - not quite yet! This is for the DS truststore. The PEM keystore support (for ssl) is still a work in progress. Coming soon.

wstrange commented 2 years ago

There is a protoype of cert-manager support in this branch: https://github.com/ForgeRock/ds-operator/tree/cert-manager This needs to be used with that docker image.

We are still in the processing of determining the longer term direction for certs/secret managment - be it secret agent or other. For now this is a POC.

wstrange commented 2 years ago

Cert-manager support now merged. We have not created a release yet - pending more testing, but the feature is in.

pearj commented 2 years ago

Great thanks @wstrange!

How stable is this operator now? Do you think it’d be safe to run in prod? (I realise it’s might not be supported in production though)

wstrange commented 2 years ago

The operator essentially creates statefulsets and PVCs, and once those are deployed it does not interact much with the directory. So I'd consider it safe to run in prod - providing you fully test your deployment first.