thelabdude opened a new pull request, #461:
URL: https://github.com/apache/solr-operator/pull/461
Fixes #390 ~ by allowing the JVM cacerts to get merged in with the
user-supplied truststore (Let's Encrypt's CA is in the cacerts for modern JVM)
Users can now configure the TLS options to merge the JVM's truststore with
the truststore for their certs using:
```
spec:
...
solrTLS:
...
trustStoreSecret:
name: dev-selfsigned-cert-tls
key: truststore.p12
mergeJavaTrustStore: "$JAVA_HOME/lib/security/cacerts"
```
The path given in `mergeJavaTrustStore` option must exist on the Solr docker
image! Thus, if user's customize their Solr image, this path may be different.
Behind the scenes, this creates an additional `initContainer` that merges
the two truststores together and then points the env var to the "merged"
truststore:
For server TLS:
```
- name: SOLR_SSL_TRUST_STORE
value: /var/solr/tls-merged/truststore.p12
``
By pointing `SOLR_SSL_TRUST_STORE` env var at the merged truststore, we're
ensured that all the other initContainers and liveness probes continue to work
(as they just use the env var to resolve this path).
Added a few simple unit tests and tested manually in my cluster.
For Prom exporter, the config would be:
```
spec:
solrReference:
...
solrTLS:
...
mergeJavaTrustStore: "$JAVA_HOME/lib/security/cacerts"
```
Which results in the exporter container getting configed with env var:
```
- name: SOLR_SSL_CLIENT_TRUST_STORE
value: /var/solr/tls-merged/truststore.p12
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
