Closed pearj closed 2 years ago
We definitely want to improve cert handling! We are waiting on an ehancement coming in DS that will enable the use of vanilla PEM files (vs. Java Keystore - which has a very specific format). This will give us more flexibility for cert management.
Does #36 fix this?
Hi Joel - not quite yet! This is for the DS truststore. The PEM keystore support (for ssl) is still a work in progress. Coming soon.
There is a protoype of cert-manager support in this branch: https://github.com/ForgeRock/ds-operator/tree/cert-manager This needs to be used with that docker image.
We are still in the processing of determining the longer term direction for certs/secret managment - be it secret agent or other. For now this is a POC.
Cert-manager support now merged. We have not created a release yet - pending more testing, but the feature is in.
Great thanks @wstrange!
How stable is this operator now? Do you think it’d be safe to run in prod? (I realise it’s might not be supported in production though)
The operator essentially creates statefulsets and PVCs, and once those are deployed it does not interact much with the directory. So I'd consider it safe to run in prod - providing you fully test your deployment first.
I noticed in https://github.com/ForgeRock/ds-operator/blame/master/DEVELOPMENT.md#L80 that SSL Certificate Management is something that is not implemented yet.
I think it'd be a good idea to use https://github.com/jetstack/cert-manager, I've used it on internal projects for this purpose. I had a small sidecar container that watched the Certificate secret for changes. And then when it changed it would regenerate the certificate and then reload the LDAPS handler by disabling it and reenabling it. If there was a way to reload the SSL cert in DS without a minor outage of LDAPS that would be even better.
I also had a script that was an init container that generated the correct SSL certificate format from the Certificate secret that DS needs.
Happy to share those scripts if they're useful. But they're in Python though.