Simplification of TLS config

secrets-create.sh

@@ -50,8 +50,15 @@ kubectl -n "${NS}" create secret generic gravitee-jwt \
   --from-literal=GRAVITEE_JWT_SECRET="${JWT_SECRET}" \
   --dry-run=client -o yaml | kubectl apply -f -
 
+echo "==> Creating CA trust secret for nginx ingress proxy-ssl-secret"
+# Contains only ca.crt (no tls.crt/key) to avoid nginx presenting the CA as a client cert.
+kubectl -n "${NS}" get secret gravitee-ca-tls -o jsonpath='{.data.ca\.crt}' | base64 -d | \
+  kubectl -n "${NS}" create secret generic gravitee-ca-trust \
+    --from-file=ca.crt=/dev/stdin \
+    --dry-run=client -o yaml | kubectl apply -f -
+
 echo ""
 echo "==> Done. Secrets created in namespace ${NS}:"
-kubectl -n "${NS}" get secrets | grep -E 'mongodb-credentials|gravitee-mongodb-uri|gravitee-admin|gravitee-jwt'
+kubectl -n "${NS}" get secrets | grep -E 'mongodb-credentials|gravitee-mongodb-uri|gravitee-admin|gravitee-jwt|gravitee-jks-password|gravitee-ca-trust'
 echo ""