Problem Statement
The challenge is the dynamic updating and management of certificates in an application that supports mTLS and interacts with client services that are frequently added and removed.
Suppose your application needs to support mTLS with two well-known client services,foo andbar, each having a specific intermediate CA (Certificate Authority). Client services are dynamically installed/removed from the cluster. For improved resiliency/manageability, you do not want to change the deployment of your application whenever a new client service is installed in the cluster: the client CAs must be dynamically added/removed to your server truststore as their services installed/removed from the cluster.
Proposed Solution
This PR aims to address this issue by allowing certificates to be marked as optional. With this feature, the application can start and continue running regardless of the availability of these certificates. And allows the addition of multiple certificates as mentionedhere.
Current Status
This pull request is currently a draft/proof of concept. It does not yet include tests or documentation and is intended to gather feedback. The implementation includes several TODOs.
An example of anapplication.yaml with multiple/optional certificates would look like:
spring.ssl.bundle.pem.server.truststore.certificates[0]=optional:/var/secrets/foo/ca.crtspring.ssl.bundle.pem.server.truststore.certificates[1]=optional:/var/secrets/bar/ca.crtspring.ssl.bundle.pem.server.truststore.certificates[2]=/var/secrets/other/ca.crt
Some use cases:
1.The configuration with the deprecated property continues to work as expected:
spring.ssl.bundle.pem.server.keystore.certificate=classpath:certs/server.crtspring.ssl.bundle.pem.server.keystore.private-key=classpath:certs/server.keyspring.ssl.bundle.pem.server.truststore.certificate=classpath:certs/ca.crtspring.ssl.bundle.pem.server.reload-on-update=trueserver.ssl.client-auth=need
TODO: Since the structure for loading certificates is the same for both keystore and truststore, should there be limitations on optionality and multiple certificates in the keystore? Should thecertificate property allow optionality?
TODO: Consider creating a validation to ensure thatcertificate andcertificates cannot be used simultaneously.
- In this case, both certificates in the truststore will be required for proper functionality.
spring.ssl.bundle.pem.server.keystore.certificates=classpath:certs/server.crtspring.ssl.bundle.pem.server.keystore.private-key=classpath:certs/server.keyspring.ssl.bundle.pem.server.truststore.certificates[0]=/resources/main/ca.crtspring.ssl.bundle.pem.server.truststore.certificates[1]=/resources/main/ca_cert.crtspring.ssl.bundle.pem.server.reload-on-update=trueserver.ssl.client-auth=need
- If the files (
ca.crt andca_cert) do not exist, they will be treated as empty, as no certificates will be available for loading at that moment. However, since thereload-on-update property is set to true, the parent directory will be monitored. Once changes are detected and the files become available, they will be loaded.
spring.ssl.bundle.pem.server.keystore.certificates=classpath:certs/server.crtspring.ssl.bundle.pem.server.keystore.private-key=classpath:certs/server.keyspring.ssl.bundle.pem.server.truststore.certificates[0]=optional:/resources/main/ca.crtspring.ssl.bundle.pem.server.truststore.certificates[1]=optional:/resources/main/ca_cert.crtspring.ssl.bundle.pem.server.reload-on-update=trueserver.ssl.client-auth=need
- In this case, if the
isReloadOnUpdate property is set totrue, theca.crt certificate will still be observed.
spring.ssl.bundle.pem.server.keystore.certificates=classpath:certs/server.crtspring.ssl.bundle.pem.server.keystore.private-key=classpath:certs/server.keyspring.ssl.bundle.pem.server.truststore.certificates[0]=optional:/resources/main/ca.crtspring.ssl.bundle.pem.server.truststore.certificates[1]=`---BEGIN CERTIFICATE-----MIID1zCCAr+gAwIBAgIUNM5QQv8IzVQsgSmmdPQNaqyzWs4wDQYJKoZIhvcNAQEL...V0IJjcmYjEZbTvpjFKznvaFiOUv+8L7jHQ1/Yf+9c3C8gSjdUfv88m17pqYXd+DsngX6JBJI7fw7tXoqWSLHNiBODM88fUlQSho8-----END CERTIFICATE-----spring.ssl.bundle.pem.server.reload-on-update=trueserver.ssl.client-auth=need
TODO: Or should we keep the exception if one or more items in the list are not observable?
Related Issue
This PR is related to thiscomment in theissue #38754
Uh oh!
There was an error while loading.Please reload this page.
Problem Statement
The challenge is the dynamic updating and management of certificates in an application that supports mTLS and interacts with client services that are frequently added and removed.
Suppose your application needs to support mTLS with two well-known client services,
fooandbar, each having a specific intermediate CA (Certificate Authority). Client services are dynamically installed/removed from the cluster. For improved resiliency/manageability, you do not want to change the deployment of your application whenever a new client service is installed in the cluster: the client CAs must be dynamically added/removed to your server truststore as their services installed/removed from the cluster.Proposed Solution
This PR aims to address this issue by allowing certificates to be marked as optional. With this feature, the application can start and continue running regardless of the availability of these certificates. And allows the addition of multiple certificates as mentionedhere.
Current Status
This pull request is currently a draft/proof of concept. It does not yet include tests or documentation and is intended to gather feedback. The implementation includes several TODOs.
An example of an
application.yamlwith multiple/optional certificates would look like:Some use cases:
1.The configuration with the deprecated property continues to work as expected:
TODO: Since the structure for loading certificates is the same for both keystore and truststore, should there be limitations on optionality and multiple certificates in the keystore? Should the
certificateproperty allow optionality?TODO: Consider creating a validation to ensure that
certificateandcertificatescannot be used simultaneously.ca.crtandca_cert) do not exist, they will be treated as empty, as no certificates will be available for loading at that moment. However, since thereload-on-updateproperty is set to true, the parent directory will be monitored. Once changes are detected and the files become available, they will be loaded.isReloadOnUpdateproperty is set totrue, theca.crtcertificate will still be observed.TODO: Or should we keep the exception if one or more items in the list are not observable?
Related Issue
This PR is related to thiscomment in theissue #38754