Simplification of TLS config

2026-05-03 12:48:42 +00:00
parent 5a48150820
commit 4f1c251ff8
4 changed files with 97 additions and 75 deletions
@@ -14,33 +14,19 @@ gateway:
  enabled: true
  replicaCount: 2

-  # Mount CA bundle and internal server cert
  extraVolumes: |
-    - name: gravitee-ca
-      secret:
-        secretName: gravitee-ca-tls
-        items:
-          - key: ca.crt
-            path: ca.crt
    - name: gateway-internal-tls
      secret:
        secretName: gateway-internal-tls
-    - name: es-truststore
-      secret:
-        secretName: elasticsearch-tls
        items:
-          - key: truststore.jks
-            path: truststore.jks
+          - key: keystore.p12
+            path: keystore.p12
+          - key: truststore.p12
+            path: truststore.p12
  extraVolumeMounts: |
-    - name: gravitee-ca
-      mountPath: /run/secrets/ca
-      readOnly: true
    - name: gateway-internal-tls
      mountPath: /run/secrets/tls
      readOnly: true
-    - name: es-truststore
-      mountPath: /run/secrets/truststore
-      readOnly: true

  env:
    - name: GRAVITEE_MANAGEMENT_MONGODB_URI
@@ -73,7 +59,7 @@ gateway:
          name: gravitee-jks-password
          key: password
    - name: JAVA_OPTS
-      value: "-Djavax.net.ssl.trustStore=/run/secrets/truststore/truststore.jks -Djavax.net.ssl.trustStorePassword=$(JKS_PASSWORD)"
+      value: "-Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.net.ssl.trustStore=/run/secrets/tls/truststore.p12 -Djavax.net.ssl.trustStorePassword=$(JKS_PASSWORD)"

  # Enable HTTPS on the gateway listener (port 8082)
  ssl:
@@ -125,31 +111,18 @@ api:
  replicaCount: 1

  extraVolumes: |
-    - name: gravitee-ca
-      secret:
-        secretName: gravitee-ca-tls
-        items:
-          - key: ca.crt
-            path: ca.crt
    - name: api-internal-tls
      secret:
        secretName: api-internal-tls
-    - name: es-truststore
-      secret:
-        secretName: elasticsearch-tls
        items:
-          - key: truststore.jks
-            path: truststore.jks
+          - key: keystore.p12
+            path: keystore.p12
+          - key: truststore.p12
+            path: truststore.p12
  extraVolumeMounts: |
-    - name: gravitee-ca
-      mountPath: /run/secrets/ca
-      readOnly: true
    - name: api-internal-tls
      mountPath: /run/secrets/tls
      readOnly: true
-    - name: es-truststore
-      mountPath: /run/secrets/truststore
-      readOnly: true

  env:
    - name: GRAVITEE_MANAGEMENT_MONGODB_URI
@@ -192,7 +165,7 @@ api:
          name: gravitee-jks-password
          key: password
    - name: JAVA_OPTS
-      value: "-Djavax.net.ssl.trustStore=/run/secrets/truststore/truststore.jks -Djavax.net.ssl.trustStorePassword=$(JKS_PASSWORD)"
+      value: "-Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.net.ssl.trustStore=/run/secrets/tls/truststore.p12 -Djavax.net.ssl.trustStorePassword=$(JKS_PASSWORD)"

  # Enable HTTPS on Management API + Portal API listeners
  http: