Closed tseelbach closed 4 years ago
Had useful discussion with Operator team, they will automatically configure this for the CLI service, the server.xml for the CLI service ( copied in by Docker file ) will have to be updated to reference this new key:
<keyStore id="kabaneroLanding"
password="changeit"
location="/etc/tls/secrets/java.io/landingpage/keystores/keystore.p12"
type="PKCS12"/>
<ssl id="defaultSSLConfig" keyStoreRef="kabaneroLanding" trustDefaultCerts="true" sslProtocol="TLSv1.2"/>
close based on reencrypt on CLI route in place in operator
The CLI / REST service Route currently uses tls.termination: passthrough. We think it should be reencrypt , because if every service (landing, cli, what else?) uses passthrough they would each have unique certificate requirements.
Or, if customers require choice of passthrough, reencrypt, or edge then we need to know that as well.
These security choices should be made at install time for Kabanero as part of overall security strategy and not as a unique experience for the CLI / REST service